Re: UDP port 80 DDoS attack

[Keegan Holley <keegan.holley () sungard com>]

2012/2/8 Steve Bertrand <steve.bertrand () gmail com>

> On 2012.02.08 14:23, Drew Weaver wrote:
>
> > Stop paying transit providers for delivering spoofed packets to the edge
> > of your network and they will very quickly develop methods of proving that
> > the traffic isn't spoofed, or block it altogether. =)
>
> I firmly believe in this recourse, amongst others...

How do you tell the spoofed packets from the non-spoofed ones?  Especially
if you have more than one provider.

> If you know that your provider allows spoofed traffic, let the community
> know about it.

According to a company wide NDA I'm only allowed to disclose that to the
best of my knowledge my upstreams permits packets sent from users or other
NSP's who may or may not permit or generate packets.  The source IP
addresses are checked to be valid 32 bit numbers before being sent to my
routers. My upstreams to the best of their knowledge have never sent me a
single spoofed packet and will refrain from doing so unless they receive
written consent from me, in triplicate. ;)

> In all aspects of life, a problem must be 'fixed' at the source. All of
> the small-medium size ops have to connect to the big-boys somewhere, and
> what I've seen in this industry is that the big-boys are generally
> compliant.

As long as compliant means completely indifferent to your concerns and
unwilling to change or compromise in any meaningful while sucking money
away faster than the government.  They are all very very compliant and a
pleasure to do business with.