[149573] in North American Network Operators' Group
RE: UDP port 80 DDoS attack
daemon@ATHENA.MIT.EDU (George Bonser)
Wed Feb 8 13:27:37 2012
From: George Bonser <gbonser@seven.com>
To: bas <kilobit@gmail.com>, nanog <nanog@nanog.org>
Date: Wed, 8 Feb 2012 18:26:42 +0000
In-Reply-To: <CAEs2ZiKXF+XuGhqwfxcGSM=x0SP7y7W5O2pFhhxx9tXULcfjig@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> 77% of all networks seem to think so.
> http://spoofer.csail.mit.edu/summary.php
And it would be the remaining 23% that really need to understand how diffic=
ult they are making life for the rest of the Internet.
> However the remaining networks allow spoofed traffic to egress their
> networks.
>=20
> When that traffic enters my network, I have no method whatsoever to
> differentiate it from any other traffic.
I'm not really thinking about traffic coming from the Internet. I'm thinki=
ng about its originating location. Correct, once it gets into the Internet=
, you really have no way to tell.
> I could ask my upstream where they see it coming from, which will be
> quite hard if they do not have pretty fancy systems.
At that point the game is really hard, agreed. And if it is distributed, i=
t could be coming from any number of places or from every single one of the=
ir upstreams.
> But if they receive it from a peer, I am as good as lost in trying to
> find the culprit.
Agreed. That's why it is important to stop it at the source.
> Bas
