[149615] in North American Network Operators' Group
Re: UDP port 80 DDoS attack
daemon@ATHENA.MIT.EDU (John Kristoff)
Fri Feb 10 11:54:47 2012
Date: Fri, 10 Feb 2012 10:53:49 -0600
From: John Kristoff <jtk@cymru.com>
To: Ray Gasnick III <rgasnick@milestechnologies.com>
In-Reply-To: <7F48F1B1D2983A49AFC2A39FAC634039AE924E9CF1@miles-exch01.miles.office>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sun, 5 Feb 2012 18:36:13 -0500
Ray Gasnick III <rgasnick@milestechnologies.com> wrote:
> Only solution thus far was to dump the victim IP address in our block
> into the BGP Black hole community with one of our 2 providers and
> completely stop advertising to the other.
Drew mentioned udp.pl and I also it could have been this script running
on some compromised Unix-based host(s) as well. If the traffic did not
appear to be widely distributed, that is, not spoofed, then this is
even more likely. If that was the case, filtering based on the sender
address(es) may help better mitigate the attack without taking the
target entirely offline for everyone else.
John
