mailing list archives
RE: UDP port 80 DDoS attack
From: George Bonser <gbonser () seven com>
Date: Wed, 8 Feb 2012 19:50:42 +0000
to be fair: "Some Providers do not check registries for 'right to use'
information about prefixes their customers wish to announce to them
Maybe not but I would think that in practice it would be something like:
1. Provider initially filters traffic based on the address range they have issued to the customer.
2. If the customer brings their own IP addresses, the provider does a quick check to see if those have been SWIPed to
3. If the customer wants the filtration opened up to include additional IPs, the do the same as #2
4. If the customer has no record of having control of those IPs, a quick call to the listed assignee of those numbers
would verify that the customer is mutual and is properly sourcing traffic in that IP range and filters are adjusted
In about 99% of cases that would be the end of the story and everything runs merrily along after that. Sure, there are
going to be corner cases but if someone starts playing whack-a-mole with IP address assignments and is asking for
frequent changes, that might be a tip-off that they might be trouble.
It *does* involve maintaining some record of the configuration settings someplace in case of equipment
changes/failures, etc. but that would be a small price to pay for reducing the amount of time spent chasing DoS
complaints. It has to be a community effort with a set of best practices developed and applied by the community.