[156813] in North American Network Operators' Group
Re: really nasty attacks
daemon@ATHENA.MIT.EDU (Stephane Bortzmeyer)
Thu Sep 27 11:36:10 2012
Date: Thu, 27 Sep 2012 17:34:08 +0200
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: Miguel Mata <mmata@intercom.com.sv>
In-Reply-To: <506468FE.15908.A42E19D@mmata.intercom.com.sv>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Thu, Sep 27, 2012 at 08:55:58AM -0600,
Miguel Mata <mmata@intercom.com.sv> wrote
a message of 30 lines which said:
> Guys,
No gals on NANOG?
> The attacks comes from various sites from the other side of the pond
> (46.165.197.xx, 213.152.180.yy).
How can you be sure? With UDP, you have zero guarantee on the source
IP address. (Checking the TTL can give you a hint if the packets
really come from the same point.)
Source and destination port? If source port is 53, it may means you're
the target of a DNS reflection+amplification attack, a la CloudFlare
<http://blog.cloudflare.com/65gbps-ddos-no-problem>.
