nanog mailing list archives
Re: ddos attacks
From: "cb.list6" <cb.list6 () gmail com>
Date: Wed, 18 Dec 2013 15:12:28 -0800
On Aug 2, 2013 10:31 AM, <sgraun () airstreamcomm net> wrote:
I’m curious to know what other service providers are doing to
alleviate/prevent ddos attacks from happening in your network. Are you completely reactive and block as many addresses as possible or null0 traffic to the effected host until it stops or do you block certain ports to prevent them. What’s the best way people are dealing with them?
Scott
I am strongly considering having my upstreams to simply rate limit ipv4 UDP. It is the simplest solution that is proactive. The facts are that during steady state less than 5% of my aggregate traffic is ipv4 udp. During an attack, 100% of the attack traffic is ipv4 udp (dns, chargen, whatever). The attacks last for about 10 minutes, so manual intervention is not possible. Automated intervention has its own warts. Conclusion: ipv4 udp is a toxic dump. It is a shame that DNS (can be tcp), webrtc (should be sctp), and Google's QUIC are going to suffer the rate limited fate. My advice to them is to get aways from ipv4 udp, the problem is getting worse not better. CB
Current thread:
- Re: ddos attacks Dan White (Dec 18)
- Re: ddos attacks Paul Stewart (Dec 18)
- Re: ddos attacks Peter Phaal (Dec 18)
- <Possible follow-ups>
- Re: ddos attacks cb.list6 (Dec 18)
- Re: ddos attacks Valdis . Kletnieks (Dec 18)
- Re: ddos attacks Jon Lewis (Dec 18)
- RE: ddos attacks James Braunegg (Dec 18)
- Re: ddos attacks Tore Anderson (Dec 19)
- Re: ddos attacks Eugeniu Patrascu (Dec 19)
- Re: ddos attacks Adrian M (Dec 19)
- Re: ddos attacks Paul Ferguson (Dec 19)
- Re: ddos attacks Valdis . Kletnieks (Dec 18)
- Re: ddos attacks Dobbins, Roland (Dec 19)
- Re: ddos attacks Nick Hilliard (Dec 19)
- Re: ddos attacks Dobbins, Roland (Dec 19)