[149580] in North American Network Operators' Group
RE: UDP port 80 DDoS attack
daemon@ATHENA.MIT.EDU (George Bonser)
Wed Feb 8 14:51:36 2012
From: George Bonser <gbonser@seven.com>
To: Christopher Morrow <morrowc.lists@gmail.com>
Date: Wed, 8 Feb 2012 19:50:42 +0000
In-Reply-To: <CAL9jLaYVq8_97KxUzg-FoW+jaD_cS43Mf3r1LjOASAJgyCaF6A@mail.gmail.com>
Cc: nanog <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> -----Original Message-----
> From: christopher.morrow
>=20
> to be fair: "Some Providers do not check registries for 'right to use'
> information about prefixes their customers wish to announce to them
> over BGP."
Maybe not but I would think that in practice it would be something like:
1. Provider initially filters traffic based on the address range they have =
issued to the customer.
2. If the customer brings their own IP addresses, the provider does a quick=
check to see if those have been SWIPed to the customer
3. If the customer wants the filtration opened up to include additional IPs=
, the do the same as #2
4. If the customer has no record of having control of those IPs, a quick ca=
ll to the listed assignee of those numbers would verify that the customer i=
s mutual and is properly sourcing traffic in that IP range and filters are =
adjusted accordingly.=20
In about 99% of cases that would be the end of the story and everything run=
s merrily along after that. Sure, there are going to be corner cases but i=
f someone starts playing whack-a-mole with IP address assignments and is as=
king for frequent changes, that might be a tip-off that they might be troub=
le.
It *does* involve maintaining some record of the configuration settings som=
eplace in case of equipment changes/failures, etc. but that would be a smal=
l price to pay for reducing the amount of time spent chasing DoS complaints=
. It has to be a community effort with a set of best practices developed a=
nd applied by the community. =20
