Re: UDP port 80 DDoS attack

[bas <kilobit () gmail com>]

Roland,
On Mon, Feb 6, 2012 at 2:43 AM, Dobbins, Roland <rdobbins () arbor net> wrote:
> S/RTBH can be rapidly shifted in order to deal with changing purported source IPs, and it isn't limited to /32s.

The big drawback with S/RTBH is that it is a DoS method in itself.

Say eyeball provider X has implemented automated S/RTBH, and I have a
grudge against them.
I would simply DoS a couple of the subscribers with spoofed source IP
addresses from google, youtube, netflow and hulu.
The automated S/RTBH drops all packets coming from those IP addresses.
Presto; many angry consumers call the ISP's helpdesk.

The same goes for hosting networks, I just need to identify what kind
of service my intended victim is dependent on. (i.e. paypal).
Then DoS any part of the hosters network with spoofed source addresses
of paypal, the automated S/RTBH makes sure the entire hosting network
is not able to reach paypal anymore.
Presto, mission achieved.

Bas