nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: UDP port 80 DDoS attack

From: Keegan Holley <keegan.holley () sungard com>
Date: Wed, 8 Feb 2012 04:12:21 -0500
It works in theory, but to get every ISP and hosting provider to ACL their
edges and maintain those ACL's for every customer no matter how large might
be a bit difficult.  Also, what about non-BGP customers or customers that
just accept a default route? Or even customers that just want return
traffic to come in a different link for some reason.  ISP's would suddenly
become giant traffic registries.

2012/2/8 George Bonser <gbonser () seven com>





From: Keegan Holley



How do you stop it?


A provider knows what destination IP traffic they route TO a customer,
don't they?  That should be the only source IPs they accept FROM a customer.


If you don't route it TO the customer, you shouldn't accept it FROM the
customer unless you have made special arrangements with them and verified
they are entitled to source the traffic from the desired IPs.
Previous By Date Next
Previous By Thread Next

Current thread: