Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours

[Rafael Possamai <rafael () gav ufsc br>]

Yeah, it hurts to see advanced analytics being used to sort the kitten
videos you're most likely to watch, but somehow they make money off of it.
On the other hand, their datacenter and new switching technologies are
really interesting, so that's an opposite example where their corporate
investments can benefit society in general.


On Tue, Jul 21, 2015 at 8:22 AM, Mike Hammett <nanog () ics-il net> wrote:

> "Facebook uses similar technology to figure out what kind of useless news
> to display on your feed."
>
> In this case, it'll be of no use whatsoever. ;-)
>
>
>
>
> -----
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> ----- Original Message -----
>
> From: "Rafael Possamai" <rafael () gav ufsc br>
> To: "Jared Mauch" <jared () puck nether net>
> Cc: nanog () nanog org
> Sent: Tuesday, July 21, 2015 8:07:34 AM
> Subject: Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in
> last 24 hours
>
> Has anyone tried to implement real-time SQC in their network? You can
> calculate summary statistics and use math to determine if traffic is
> "normal" or if there's a chance it's garbage. You won't be able to notice
> one-off attacks, but anything that repeats enough times should pop up.
> Facebook uses similar technology to figure out what kind of useless news to
> display on your feed.
>
> In summary, instead of blocking an entire country, we should be able to
> analyze traffic as it comes, and determine a DDoS attack without human
> intervention.
>
> On Tue, Jul 21, 2015 at 7:43 AM, Jared Mauch <jared () puck nether net>
> wrote:
>
> > On Tue, Jul 21, 2015 at 08:09:56AM -0400, Curtis Maurand wrote:
> > > DNS is still largely UDP.
> >
> > Water is also still wet :) - but you may not be doing 10% of your
> > links as UDP/53.
> >
> > DNS can also use TCP as well, including sending more than one
> > query in a pipelined fashion.
> >
> > The challenge that Cameron is trying to document here
> > is when seeing large volumes of UDP it becomes necessary to do
> > something to keep the network up. This response is frustrating for those
> > of us who prefer to have a unfiltered e2e network but maintaining
> > the network as up in the face of these adverse conditions is important.
> >
> > - Jared
> >
> > > --Curtis
> > >
> > > On 7/20/2015 5:40 PM, Ca By wrote:
> > > > Folks, it may be time to take the next step and admit that UDP is too
> > > > broken to support
> > > >
> > > > https://tools.ietf.org/html/draft-byrne-opsec-udp-advisory-00
> > > >
> > > > Your comments have been requested
> > > >
> > > >
> > > >
> > > > On Mon, Jul 20, 2015 at 8:57 AM, Drew Weaver <drew.weaver () thenap com>
> > wrote:
> > > > > Has anyone else seen a massive amount of illegitimate UDP 1720
> traffic
> > > > > coming from China being sent towards IP addresses which provide VoIP
> > > > > services?
> > > > >
> > > > > I'm talking in the 20-30Gbps range?
> > > > >
> > > > > The first incident was yesterday at around 13:00 EST, the second
> > incident
> > > > > was today at 09:00 EST.
> > > > >
> > > > > I'm assuming this is just another DDoS like all others, but I would
> be
> > > > > interested to hear if I am not the only one seeing this.
> > > > >
> > > > > On list or off-list is fine.
> > > > >
> > > > > Thanks,
> > > > > -Drew
> > >
> > > --
> > > Best Regards
> > > Curtis Maurand
> > > Principal
> > > Xyonet Web Hosting
> > > mailto:cmaurand () xyonet com
> > > http://www.xyonet.com
> >
> > --
> > Jared Mauch | pgp key available via finger from jared () puck nether net
> > clue++; | http://puck.nether.net/~jared/ My statements are only
> > mine.