[149554] in North American Network Operators' Group
Re: UDP port 80 DDoS attack
daemon@ATHENA.MIT.EDU (Keegan Holley)
Wed Feb 8 04:13:53 2012
In-Reply-To: <596B74B410EE6B4CA8A30C3AF1A155EA09CBC01E@RWC-MBX1.corp.seven.com>
From: Keegan Holley <keegan.holley@sungard.com>
Date: Wed, 8 Feb 2012 04:12:21 -0500
To: George Bonser <gbonser@seven.com>
Cc: nanog <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
It works in theory, but to get every ISP and hosting provider to ACL their
edges and maintain those ACL's for every customer no matter how large might
be a bit difficult. Also, what about non-BGP customers or customers that
just accept a default route? Or even customers that just want return
traffic to come in a different link for some reason. ISP's would suddenly
become giant traffic registries.
2012/2/8 George Bonser <gbonser@seven.com>
>
>
> >From: Keegan Holley
>
> >How do you stop it?
>
> A provider knows what destination IP traffic they route TO a customer,
> don't they? That should be the only source IPs they accept FROM a customer.
>
>
> If you don't route it TO the customer, you shouldn't accept it FROM the
> customer unless you have made special arrangements with them and verified
> they are entitled to source the traffic from the desired IPs.
>
>
>
>
