nanog mailing list archives
Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours
From: Ca By <cb.list6 () gmail com>
Date: Mon, 20 Jul 2015 17:03:17 -0700
On Monday, July 20, 2015, John Weekes <jw () nuclearfallout net> wrote:
Ca, Folks, it may be time to take the next step and admit that UDP is toobroken to support https://tools.ietf.org/html/draft-byrne-opsec-udp-advisory-00 Your comments have been requestedMy comment would be that UDP is still widely used for game server traffic. This is unlikely to change in the near future because TCP (by default) is not well-suited for highly time-sensitive data, as even a small amount of packet loss causes significant delays. First, thanks for feedback. Opsec mailer in the ietf is a good place for
detailed feedback. TCP packets travel at the same speed as udp. In fact nearly all video is delivered as tcp (youtube, netflix) Your level of tcp window pacing is relevant to your congestion algo. There is also sctp ....
In light of this, it is a bad idea for network operators to apply overall rate-limits to UDP traffic right now. Rate-limiting specific UDP /ports/ that are frequently seen in reflection attacks -- such as 19, 123, and 1900 -- is a more reasonable practice, however, and it is becoming more common/.
I noticed you did not include today's reported udp1720. Somebody took it on the chin because they did not rate limit that port. Tomorrow it will be a different port. Going back to the draft, it states that you should create a basline and understand it.
/UDP-based application protocols can be implemented correctly, such that they also have handshakes that limit their ability to be used for reflection attacks, and modern services (including modern game servers) do this.
Agreed. The issue is that there is so much broken ntp / chargen / ssdp .... That udp is a threat and "your udp app" will be collateral damage at some point (now, or in the future)
TCP and UDP can both be spoofed and used for direct attacks; we see this all the time. UDP is preferred due to many applications protocols' susceptibility to amplification attacks, but spoofed TCP attacks are often a bit thornier to deal with from the standpoint of a host attempting to externally mitigate, because tracking the three-way handshake requires keeping state.
What is the attack bandwidth volume ratio you see between tcp and udp? Mine is nearly 100% udp, but i have an eyeball network
I spoke with Drew earlier and his attacks do not appear to be reflected, so this is orthogonal to his concern today. He is seeing directly-generated traffic, which could use any protocol. -John
But it is udp, so it is not orthogonal and would hit the bitbucket on protocol level policer without anyone opening a ticket or getting pages. This draft is not trying to deperecate udp. It is simply illuminating a situation and a trend and providing advice. As a network operator, my concern is that protocols doing cool things like quic and webrtc will grow very quickly on udp and the signal will mix with ddos noise in such a way that i cannot tease them apart. Today, i rate limit udp with a sledge hammer just to keep the network up. If you say i have to rate limit with a scalpel, that probably wont work. CB
Current thread:
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours, (continued)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Ca By (Jul 23)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Valdis . Kletnieks (Jul 23)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Mike Hammett (Jul 21)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Christopher Morrow (Jul 20)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours ML (Jul 20)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Colin Johnston (Jul 20)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Valdis . Kletnieks (Jul 20)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours James Milko (Jul 20)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Ca By (Jul 20)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours John Weekes (Jul 20)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Ca By (Jul 20)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours John (Jul 20)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours John Weekes (Jul 20)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Curtis Maurand (Jul 21)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Jared Mauch (Jul 21)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Rafael Possamai (Jul 21)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Pavel Odintsov (Jul 21)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Rafael Possamai (Jul 21)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Pavel Odintsov (Jul 21)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Mike Hammett (Jul 21)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Rafael Possamai (Jul 21)
- Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours Jared Mauch (Jul 21)