nanog mailing list archives

RE: DDoS - CoD?

From: John van Oppen <jvanoppen () spectrumnet us>
Date: Tue, 6 Sep 2011 08:01:54 +0000

i have seen many udp/80 floods as well...  pretty common.

John van Oppen
Spectrum Networks / AS11404

________________________________________
From: Dobbins, Roland [rdobbins () arbor net]
Sent: Tuesday, September 06, 2011 1:00 AM
To: North American Network Operators' Group
Subject: Re: DDoS - CoD?

On Sep 6, 2011, at 2:53 PM, BH wrote:

Has anyone seen similar traffic before? I


I've seen DDoS traffic on UDP/80 as far back as 2002 - the miscreants often don't know a lot about TCP/IP, and if 
something happens to work once, they incorporate it into their attack tool defaults and keep using it over and over.

In several recent high-profile DDoS attacks, UDP/80 traffic ended up causing state exhaustion on load-balancers, as the 
victim sites weren't following the BCP of enforcing network access policies via stateless ACLs in hardware-based 
routers/layer-3 switches, and the load-balancers kept trying to load-balance this traffic from multiple purported 
source IPs/source ports.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

                The basis of optimism is sheer terror.

                          -- Oscar Wilde

Current thread:

DDoS - CoD? BH (Sep 06)
- Re: DDoS - CoD? Dobbins, Roland (Sep 06)
  - RE: DDoS - CoD? John van Oppen (Sep 06)
  - Re: DDoS - CoD? BH (Sep 06)
    - Re: DDoS - CoD? Greg Chalmers (Sep 06)
    - Re: DDoS - CoD? Alexander Harrowell (Sep 06)
    - Re: DDoS - CoD? - Activision contact BH (Sep 06)
    - Re: DDoS - CoD? - Activision contact Jeff Walter (Sep 07)
- Re: DDoS - CoD? Jeff Walter (Sep 06)
  - Re: DDoS - CoD? Mark Grigsby (Sep 06)
  - Re: DDoS - CoD? George Herbert (Sep 06)
    - Re: DDoS - CoD? Ryan Gelobter (Sep 08)