[144225] in North American Network Operators' Group
Re: DDoS - CoD?
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Tue Sep 6 04:01:24 2011
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: North American Network Operators' Group <nanog@nanog.org>
Date: Tue, 6 Sep 2011 08:00:45 +0000
In-Reply-To: <4E65D182.8010008@blackhat.bz>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sep 6, 2011, at 2:53 PM, BH wrote:
> Has anyone seen similar traffic before? I
I've seen DDoS traffic on UDP/80 as far back as 2002 - the miscreants often=
don't know a lot about TCP/IP, and if something happens to work once, they=
incorporate it into their attack tool defaults and keep using it over and =
over.
In several recent high-profile DDoS attacks, UDP/80 traffic ended up causin=
g state exhaustion on load-balancers, as the victim sites weren't following=
the BCP of enforcing network access policies via stateless ACLs in hardwar=
e-based routers/layer-3 switches, and the load-balancers kept trying to loa=
d-balance this traffic from multiple purported source IPs/source ports.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
The basis of optimism is sheer terror.
-- Oscar Wilde
