[149577] in North American Network Operators' Group
RE: UDP port 80 DDoS attack
daemon@ATHENA.MIT.EDU (Drew Weaver)
Wed Feb 8 14:24:17 2012
From: Drew Weaver <drew.weaver@thenap.com>
To: 'George Bonser' <gbonser@seven.com>, bas <kilobit@gmail.com>, nanog
<nanog@nanog.org>
Date: Wed, 8 Feb 2012 14:23:27 -0500
In-Reply-To: <596B74B410EE6B4CA8A30C3AF1A155EA09CBE3C9@RWC-MBX1.corp.seven.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Stop paying transit providers for delivering spoofed packets to the edge of=
your network and they will very quickly develop methods of proving that th=
e traffic isn't spoofed, or block it altogether. =3D)
-Drew
-----Original Message-----
From: George Bonser [mailto:gbonser@seven.com]=20
Sent: Wednesday, February 08, 2012 1:27 PM
To: bas; nanog
Subject: RE: UDP port 80 DDoS attack
> 77% of all networks seem to think so.
> http://spoofer.csail.mit.edu/summary.php
And it would be the remaining 23% that really need to understand how diffic=
ult they are making life for the rest of the Internet.
> However the remaining networks allow spoofed traffic to egress their=20
> networks.
>=20
> When that traffic enters my network, I have no method whatsoever to=20
> differentiate it from any other traffic.
I'm not really thinking about traffic coming from the Internet. I'm thinki=
ng about its originating location. Correct, once it gets into the Internet=
, you really have no way to tell.
> I could ask my upstream where they see it coming from, which will be=20
> quite hard if they do not have pretty fancy systems.
At that point the game is really hard, agreed. And if it is distributed, i=
t could be coming from any number of places or from every single one of the=
ir upstreams.
> But if they receive it from a peer, I am as good as lost in trying to=20
> find the culprit.
Agreed. That's why it is important to stop it at the source.
> Bas
