Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours

[Ca By <cb.list6 () gmail com>]

On Thu, Jul 23, 2015 at 6:25 AM, Justin M. Streiner <streiner () cluebyfour org
> wrote:

> On Thu, 23 Jul 2015, Nicholas Warren wrote:
>
>  How will the customer know the ISP is blocking the traffic? Does the FCC
> > make ISPs disclose this information?
>
> If a customer is legitimately trying to reach someone in one of the
> affected IP ranges and failing, at some point, they will either a) give up
> and try later, or b) contact their provider to try to find out what's going
> on.
>
> If it's something widespread enough that the ISP's support line is blowing
> up with calls, I'd hope they would either put some sort of announcement on
> their website/support site/support line.
>
> As with anything else in the ISP world, it's about striking an appropriate
> balance.  If ISP X is getting hit with DDoS traffic hard enough to severely
> impact their business, that can warrant an emergency response, albeit
> likely a short-term/tactical response.  If not, perhaps a more limited
> response is better.  Again, each provider is free to run their network as
> they see fit.
>
> The balance point can also change if downstream ISPs are involved, since
> ISP X might be making the decision to block or not block traffic for the
> downstreams, with or without their consent.
>
> jms
I agree with you about balance.  The issue is that for many of us, UDP
floods / DDoS, is daily business.  It is not an emergency when you have a
baseline for UDP and police it.

Or, you can careen from emergency to emergency.

CB



>  On 07/22/2015 09:01 PM, Justin M. Streiner wrote:
> > > You're certainly free to block whatever traffic you wish, but your
> > > customers might not appreciate a heavy-handed approach to stopping bad
> > > traffic at the gates.