Re: really nasty attacks

[Jared Mauch <jared () puck nether net>]

On Sep 27, 2012, at 10:55 AM, Miguel Mata wrote:

> Guys,
>
> on recent days I've seen an UDP attack a couple of times. The attack is fairly simple, a full 
> load of UDP packets filled with "X". The attacks comes from various sites from the other side 
> of the pond (46.165.197.xx, 213.152.180.yy).
>
> Has anyone seen this kind of attack? Basically, the attack aims to fill your pipe (150Mbps 
> over an STM1... guess what...) Then the question goes like this: besides asking your 
> upstream provider to block, drop or whatever on the offending traffic, and Kontaktieren Sie 
> den Administrator, what else can be done?
>
> Thanks in advance for any help you can provide.
>
> Please contact me off list. I'll post a recap on due time.

There are a lot of different attack types that one might see as an ISP/SP of services. 10 years+ ago it would be an 
ICMP flood.  Some of us took to rate-limiting the icmp echo/echo-reply traffic to 2Mb/s on links to mitigate the flood.

UDP can be a powerful tool in the hands of a compromised server.  I recall in 96 putting 100M of udp through a 10m 
firewall/nat midpoint.  Had to drive to the office to kill the process.

Without knowing the nature of the pattern you are seeing, it is very hard to advise anything other than to contact your 
ISP for filtering.  Traffic against udp/0 (fragments) would be handled different than others (eg: udp/80).  I've seen 
many people just add udp/80 to their standard filters since I'm unaware of any UDP HTTP implementations.

You can try to determine why you were attacked, but that too can be as simple as a "script kiddie" on IRC to an attack 
with far more malicious motive and implications.

- Jared