[144226] in North American Network Operators' Group
RE: DDoS - CoD?
daemon@ATHENA.MIT.EDU (John van Oppen)
Tue Sep 6 04:02:56 2011
From: John van Oppen <jvanoppen@spectrumnet.us>
To: "Dobbins, Roland" <rdobbins@arbor.net>, North American Network Operators'
Group <nanog@nanog.org>
Date: Tue, 6 Sep 2011 08:01:54 +0000
In-Reply-To: <30DB1247-4534-4740-BE31-16CDFFDB6A2F@arbor.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
i have seen many udp/80 floods as well... pretty common.=0A=
=0A=
=0A=
John van Oppen=0A=
Spectrum Networks / AS11404=0A=
=0A=
________________________________________=0A=
From: Dobbins, Roland [rdobbins@arbor.net]=0A=
Sent: Tuesday, September 06, 2011 1:00 AM=0A=
To: North American Network Operators' Group=0A=
Subject: Re: DDoS - CoD?=0A=
=0A=
On Sep 6, 2011, at 2:53 PM, BH wrote:=0A=
=0A=
> Has anyone seen similar traffic before? I=0A=
=0A=
I've seen DDoS traffic on UDP/80 as far back as 2002 - the miscreants often=
don't know a lot about TCP/IP, and if something happens to work once, they=
incorporate it into their attack tool defaults and keep using it over and =
over.=0A=
=0A=
In several recent high-profile DDoS attacks, UDP/80 traffic ended up causin=
g state exhaustion on load-balancers, as the victim sites weren't following=
the BCP of enforcing network access policies via stateless ACLs in hardwar=
e-based routers/layer-3 switches, and the load-balancers kept trying to loa=
d-balance this traffic from multiple purported source IPs/source ports.=0A=
=0A=
-----------------------------------------------------------------------=0A=
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>=0A=
=0A=
The basis of optimism is sheer terror.=0A=
=0A=
-- Oscar Wilde=0A=
=0A=
=0A=
