[133520] in North American Network Operators' Group
RE: Over a decade of DDOS--any progress yet?
daemon@ATHENA.MIT.EDU (Drew Weaver)
Fri Dec 10 15:32:29 2010
From: Drew Weaver <drew.weaver@thenap.com>
To: 'Michael Costello' <mc3401@columbia.edu>, "nanog@nanog.org"
<nanog@nanog.org>
Date: Fri, 10 Dec 2010 15:32:10 -0500
In-Reply-To: <20101208115846.4b43ff25@mead.decaying.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
I should've "qualified" my question by saying "What valid application which=
traverses the Internet and could be seen at the edge of a network actually=
uses UDP 80?"
I can't imagine there is too much Cisco NAC client for macs carrying on ove=
r the Internet, although I have been wrong in the past.
-Drew
-----Original Message-----
From: Michael Costello [mailto:mc3401@columbia.edu]=20
Sent: Wednesday, December 08, 2010 11:59 AM
To: nanog@nanog.org
Subject: Re: Over a decade of DDOS--any progress yet?
On Wed, 8 Dec 2010 11:13:01 -0500
Drew Weaver <drew.weaver@thenap.com> wrote:
> The most common attacks that I have seen over the last 12 months, and
> let's say I have seen a fair share have been easily detectable by the
> source network.
>=20
> It is either protocol 17 (UDP) dst port 80 or UDP Fragments (dst port
> 0..)
>=20
> What valid application actually uses UDP 80?
The Cisco NAC client for Macs, for the purpose of "VLAN change
detection", sends UDP/80 packets to the host's reversed default
gateway (i.e., if the actual gateway is 1.2.3.4, it sends the packets
to 4.3.2.1) once every five seconds.
mc
