Home page logo

nanog logo nanog mailing list archives

RE: UDP port 80 DDoS attack
From: George Bonser <gbonser () seven com>
Date: Wed, 8 Feb 2012 19:50:42 +0000

-----Original Message-----
From: christopher.morrow

to be fair: "Some Providers do not check registries for 'right to use'
information about prefixes their customers wish to announce to them
over BGP."

Maybe not but I would think that in practice it would be something like:

1. Provider initially filters traffic based on the address range they have issued to the customer.
2. If the customer brings their own IP addresses, the provider does a quick check to see if those have been SWIPed to 
the customer
3. If the customer wants the filtration opened up to include additional IPs, the do the same as #2
4. If the customer has no record of having control of those IPs, a quick call to the listed assignee of those numbers 
would verify that the customer is mutual and is properly sourcing traffic in that IP range and filters are adjusted 

In about 99% of cases that would be the end of the story and everything runs merrily along after that.  Sure, there are 
going to be corner cases but if someone starts playing whack-a-mole with IP address assignments and is asking for 
frequent changes, that might be a tip-off that they might be trouble.

It *does* involve maintaining some record of the configuration settings someplace in case of equipment 
changes/failures, etc. but that would be a small price to pay for reducing the amount of time spent chasing DoS 
complaints.  It has to be a community effort with a set of best practices developed and applied by the community.  

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]