Home page logo
/

nanog logo nanog mailing list archives

Re: UDP port 80 DDoS attack
From: Keegan Holley <keegan.holley () sungard com>
Date: Wed, 8 Feb 2012 03:31:05 -0500

2012/2/8 George Bonser <gbonser () seven com>



-----Original Message-----
From: bas
Sent: Tuesday, February 07, 2012 11:56 PM
To: Dobbins, Roland; nanog
Subject: Re: UDP port 80 DDoS attack

Say eyeball provider X has implemented automated S/RTBH, and I have a
grudge against them.
I would simply DoS a couple of the subscribers *with spoofed source IP*
addresses from google, youtube, netflow and hulu.
The automated S/RTBH drops all packets coming from those IP addresses.
Presto; many angry consumers call the ISP's helpdesk.

Comes back to providers allowing "spoofed" traffic into their networks
from customers.  That seems to me to be the low-hanging fruit here.



How do you stop it?  Granted, traffic from 10/8 or 127.0.0.1 coming in via
an upstream is obvious, but that's about it.  There's nothing in a packet
that will tell you where it came from compared to the source IP field in
the IP header.  uRPF is a problem for anyone who's sufficiently multihomed
since it causes asymmetric routing.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]