[149548] in North American Network Operators' Group
Re: UDP port 80 DDoS attack
daemon@ATHENA.MIT.EDU (bas)
Wed Feb 8 02:57:25 2012
In-Reply-To: <B8DFDDB0-CDDE-403E-A782-CCBECE248FB0@arbor.net>
Date: Wed, 8 Feb 2012 08:56:25 +0100
From: bas <kilobit@gmail.com>
To: "Dobbins, Roland" <rdobbins@arbor.net>, nanog <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Roland,
On Mon, Feb 6, 2012 at 2:43 AM, Dobbins, Roland <rdobbins@arbor.net> wrote:
>
> S/RTBH can be rapidly shifted in order to deal with changing purported source IPs, and it isn't limited to /32s.
The big drawback with S/RTBH is that it is a DoS method in itself.
Say eyeball provider X has implemented automated S/RTBH, and I have a
grudge against them.
I would simply DoS a couple of the subscribers with spoofed source IP
addresses from google, youtube, netflow and hulu.
The automated S/RTBH drops all packets coming from those IP addresses.
Presto; many angry consumers call the ISP's helpdesk.
The same goes for hosting networks, I just need to identify what kind
of service my intended victim is dependent on. (i.e. paypal).
Then DoS any part of the hosters network with spoofed source addresses
of paypal, the automated S/RTBH makes sure the entire hosting network
is not able to reach paypal anymore.
Presto, mission achieved.
Bas
