nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours

From: Pavel Odintsov <pavel.odintsov () gmail com>
Date: Tue, 21 Jul 2015 17:51:36 +0300
Hello!

There are few vendors which could offer 100GE capture solutions which
could be used with FastNetMon. I could share vendor names off list if
you are interested in it.

Now we do only packet counting and compare it with fixed thresholds.
But we are working on deep packet inspection of attacks. But pps/bps
thresholds still useful in this case too.

On Tue, Jul 21, 2015 at 5:48 PM, Rafael Possamai <rafael () gav ufsc br> wrote:

Pavel, what kind of resources does the analysis of a 100G circuit require?
Or is it just counting packets?

On Tue, Jul 21, 2015 at 8:11 AM, Pavel Odintsov <pavel.odintsov () gmail com>
wrote:


You could do SQC with FastNetMon. We have per subnet / per host and
per protocol counters. We are working on multi 100GE mode very well :)

On Tue, Jul 21, 2015 at 4:07 PM, Rafael Possamai <rafael () gav ufsc br>
wrote:

Has anyone tried to implement real-time SQC in their network? You can
calculate summary statistics and use math to determine if traffic is
"normal" or if there's a chance it's garbage. You won't be able to
notice
one-off attacks, but anything that repeats enough times should pop up.
Facebook uses similar technology to figure out what kind of useless news
to
display on your feed.

In summary, instead of blocking an entire country, we should be able to
analyze traffic as it comes, and determine a DDoS attack without human
intervention.

On Tue, Jul 21, 2015 at 7:43 AM, Jared Mauch <jared () puck nether net>
wrote:


On Tue, Jul 21, 2015 at 08:09:56AM -0400, Curtis Maurand wrote:


DNS is still largely UDP.


        Water is also still wet :) - but you may not be doing 10% of
your
links as UDP/53.

        DNS can also use TCP as well, including sending more than one
query in a pipelined fashion.

        The challenge that Cameron is trying to document here
is when seeing large volumes of UDP it becomes necessary to do
something to keep the network up.  This response is frustrating for
those
of us who prefer to have a unfiltered e2e network but maintaining
the network as up in the face of these adverse conditions is important.

        - Jared



--Curtis

On 7/20/2015 5:40 PM, Ca By wrote:

Folks, it may be time to  take the next step and admit that UDP is
too
broken to support

https://tools.ietf.org/html/draft-byrne-opsec-udp-advisory-00

Your comments have been requested



On Mon, Jul 20, 2015 at 8:57 AM, Drew Weaver
<drew.weaver () thenap com>

wrote:



Has anyone else seen a massive amount of illegitimate UDP 1720
traffic
coming from China being sent towards IP addresses which provide
VoIP
services?

I'm talking in the 20-30Gbps range?

The first incident was yesterday at around 13:00 EST, the second

incident

was today at 09:00 EST.

I'm assuming this is just another DDoS like all others, but I would
be
interested to hear if I am not the only one seeing this.

On list or off-list is fine.

Thanks,
-Drew




--
Best Regards
Curtis Maurand
Principal
Xyonet Web Hosting
mailto:cmaurand () xyonet com
http://www.xyonet.com


--
Jared Mauch  | pgp key available via finger from jared () puck nether net
clue++;      | http://puck.nether.net/~jared/  My statements are only
mine.





--
Sincerely yours, Pavel Odintsov







-- 
Sincerely yours, Pavel Odintsov
Previous By Date Next
Previous By Thread Next

Current thread: