Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours

[Pavel Odintsov <pavel.odintsov () gmail com>]

You could do SQC with FastNetMon. We have per subnet / per host and
per protocol counters. We are working on multi 100GE mode very well :)

On Tue, Jul 21, 2015 at 4:07 PM, Rafael Possamai <rafael () gav ufsc br> wrote:
> Has anyone tried to implement real-time SQC in their network? You can
> calculate summary statistics and use math to determine if traffic is
> "normal" or if there's a chance it's garbage. You won't be able to notice
> one-off attacks, but anything that repeats enough times should pop up.
> Facebook uses similar technology to figure out what kind of useless news to
> display on your feed.
>
> In summary, instead of blocking an entire country, we should be able to
> analyze traffic as it comes, and determine a DDoS attack without human
> intervention.
>
> On Tue, Jul 21, 2015 at 7:43 AM, Jared Mauch <jared () puck nether net> wrote:
>
> > On Tue, Jul 21, 2015 at 08:09:56AM -0400, Curtis Maurand wrote:
> > > DNS is still largely UDP.
> >
> >         Water is also still wet :) - but you may not be doing 10% of your
> > links as UDP/53.
> >
> >         DNS can also use TCP as well, including sending more than one
> > query in a pipelined fashion.
> >
> >         The challenge that Cameron is trying to document here
> > is when seeing large volumes of UDP it becomes necessary to do
> > something to keep the network up.  This response is frustrating for those
> > of us who prefer to have a unfiltered e2e network but maintaining
> > the network as up in the face of these adverse conditions is important.
> >
> >         - Jared
> >
> > > --Curtis
> > >
> > > On 7/20/2015 5:40 PM, Ca By wrote:
> > > > Folks, it may be time to  take the next step and admit that UDP is too
> > > > broken to support
> > > >
> > > > https://tools.ietf.org/html/draft-byrne-opsec-udp-advisory-00
> > > >
> > > > Your comments have been requested
> > > >
> > > >
> > > >
> > > > On Mon, Jul 20, 2015 at 8:57 AM, Drew Weaver <drew.weaver () thenap com>
> > wrote:
> > > > > Has anyone else seen a massive amount of illegitimate UDP 1720 traffic
> > > > > coming from China being sent towards IP addresses which provide VoIP
> > > > > services?
> > > > >
> > > > > I'm talking in the 20-30Gbps range?
> > > > >
> > > > > The first incident was yesterday at around 13:00 EST, the second
> > incident
> > > > > was today at 09:00 EST.
> > > > >
> > > > > I'm assuming this is just another DDoS like all others, but I would be
> > > > > interested to hear if I am not the only one seeing this.
> > > > >
> > > > > On list or off-list is fine.
> > > > >
> > > > > Thanks,
> > > > > -Drew
> > >
> > > --
> > > Best Regards
> > > Curtis Maurand
> > > Principal
> > > Xyonet Web Hosting
> > > mailto:cmaurand () xyonet com
> > > http://www.xyonet.com
> >
> > --
> > Jared Mauch  | pgp key available via finger from jared () puck nether net
> > clue++;      | http://puck.nether.net/~jared/  My statements are only
> > mine.



-- 
Sincerely yours, Pavel Odintsov