[67738] in North American Network Operators' Group
Re: 80/udp floods?
daemon@ATHENA.MIT.EDU (Suresh Ramasubramanian)
Wed Feb 18 21:04:30 2004
Date: Thu, 19 Feb 2004 07:33:12 +0530
From: Suresh Ramasubramanian <suresh@outblaze.com>
To: "Wayne E. Bouchard" <web@typo.org>
Cc: Scott Call <scall@devolution.com>, nanog@merit.edu
In-Reply-To: <20040219004623.GA56612@typo.org>
Errors-To: owner-nanog-outgoing@merit.edu
Wayne E. Bouchard [2/19/2004 6:16 AM] :
> Easy enough to fend off except for the TCP 80 bit. For most of these
> attacks, I've taken to just filtering the entire LACNIC and APNIC
> address delegations at the host level for the durration of the
> incident since, in the general case, my customers (the ones that
> suffer these incidents) do little if any business in that region.
May I suggest extending your ACLs to filter 0/0?
I have seen quite a lot of this from ARIN (mostly cablemodem land, 24/8)
as well as RIPE space (again cablemodem land -> trojaned zombies?)
srs
--
srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9
manager, outblaze.com security and antispam operations
