automatic rtbh trigger using flow data
Lotia, Pratik M
Pratik.Lotia at charter.com
Fri Aug 31 18:20:05 UTC 2018
>many operators doing this have concentrated on common
>port-pairs observed in UDP reflection/amplification attacks.
Yes, because that's a great starting point.
> And when we're using techniques like
>QoSing down certain ports/protocols, we must err on the side of caution,
Arbor report mentions volumetric attacks using DNS, NTP form 75+% of the attacks. Then QoSing certain ports and protocols is the best way to start with.
From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Roland Dobbins
Sent: Friday, August 31, 2018 11:13 AM
To: NANOG list
Subject: Re: automatic rtbh trigger using flow data
On 31 Aug 2018, at 23:53, Lotia, Pratik M wrote:
> Instead of rtbh I would suggest blocking/rate limiting common ports
> used in DDoS attacks.
This isn't an 'instead of', it's an 'in addition to'. And it must be
done judiciously; many operators doing this have concentrated on common
port-pairs observed in UDP reflection/amplification attacks.
It's important to understand that any kind of packet of any
protocol/ports (if such concepts apply on the protocol in question) can
be used to launch DDoS attacks.
We've many tools in the toolbox, and should use them in a
situationally-appropriate manner. And when we're using techniques like
QoSing down certain ports/protocols, we must err on the side of caution,
lest we cause larger problems than the attacks themselves.
Roland Dobbins <rdobbins at arbor.net>
E-MAIL CONFIDENTIALITY NOTICE:
The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.
More information about the NANOG