Home page logo

nanog logo nanog mailing list archives

Re: UDP port 80 DDoS attack
From: Keegan Holley <keegan.holley () sungard com>
Date: Wed, 8 Feb 2012 10:18:29 -0500

On Feb 8, 2012, at 4:51 AM, George Bonser <gbonser () seven com> wrote:

From: Keegan Holley 
Subject: Re: UDP port 80 DDoS attack

It works in theory, but to get every ISP and hosting provider to ACL their edges and maintain those ACL's for every 
customer no matter how large might be a bit difficult.  

You don't have to ACL in most cases. RPF works for most.  There will be a few, relatively darned few, that you will 
need to ACL, but RPF takes care of a large number of them.

RPF on the whole Internet would pretty much lead to an instant outage.  What happens when you have two upstreams and 
one has an incoming route to you but your out going route for which ever of their customers talking to you doesn't 
agree?  Instant outage.  Multiply that by the entire table and then add churn.  I'd give it a week before everyone 
turned it off,  if you could even get them to enable it to begin with.

Also, what about non-BGP customers or customers that just accept a default route?  

I don't follow.  The ISP still knows what traffic gets routed TO them.  You only accept FROM them what you route TO 
them, even if you hand them a default route.

Or even customers that just want return traffic to come in a different link for some reason.

Still don't follow.  I am not talking about having a firewall that is stateful.  I am talking packet by packet.  If 
you don't route it to them, you don't accept it from them unless you have made arrangements otherwise, which will be 
a small percentage of your customers. Sure, some might be multihomed but it is easy enough to verify that they have 
the networks in question SWIPed to them or a call to the other provider can clear that up in a few minutes.  It isn't 
THAT hard.

ISP's would suddenly become giant traffic registries.

No, we have registries to act as registries, the ISPs should be checking them, and double checking.  It isn't 
something that is going to change every day or every week. Once you get it set up, it is going to be stable for a 
while.  Sure, it means a little more work in setting up a customer, but it also means that if all your neighbors do 
the same thing, you field many fewer calls dealing with stupid DoS crap.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]