nanog mailing list archives

RE: automatic rtbh trigger using flow data

From: "Lotia, Pratik M" <Pratik.Lotia () charter com>
Date: Fri, 31 Aug 2018 18:20:05 +0000

many operators doing this have concentrated on common 
port-pairs observed in UDP reflection/amplification attacks.


Yes, because that's a great starting point.

And when we're using techniques like 
QoSing down certain ports/protocols, we must err on the side of caution,


Arbor report mentions volumetric attacks using DNS, NTP form 75+% of the attacks. Then QoSing certain ports and 
protocols is the best way to start with.

~Pratik Lotia  



-----Original Message-----
From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of Roland Dobbins
Sent: Friday, August 31, 2018 11:13 AM
To: NANOG list
Subject: Re: automatic rtbh trigger using flow data


On 31 Aug 2018, at 23:53, Lotia, Pratik M wrote:

Instead of rtbh I would suggest blocking/rate limiting common ports 
used in DDoS attacks.


This isn't an 'instead of', it's an 'in addition to'.  And it must be 
done judiciously; many operators doing this have concentrated on common 
port-pairs observed in UDP reflection/amplification attacks.

It's important to understand that any kind of packet of any 
protocol/ports (if such concepts apply on the protocol in question) can 
be used to launch DDoS attacks.

We've many tools in the toolbox, and should use them in a 
situationally-appropriate manner.  And when we're using techniques like 
QoSing down certain ports/protocols, we must err on the side of caution, 
lest we cause larger problems than the attacks themselves.

-----------------------------------
Roland Dobbins <rdobbins () arbor net>
E-MAIL CONFIDENTIALITY NOTICE: 
The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain 
confidential and/or legally privileged information. If you are not the intended recipient of this message or if this 
message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this 
message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, 
distribution, copying, or storage of this message or any attachment is strictly prohibited.

Current thread:

Re: automatic rtbh trigger using flow data, (continued)
- - - Re: automatic rtbh trigger using flow data Hugo Slabbert (Aug 31)
    - Re: automatic rtbh trigger using flow data Roland Dobbins (Aug 31)
    - RE: automatic rtbh trigger using flow data Michel Py (Aug 30)
    - Re: automatic rtbh trigger using flow data H I Baysal (Aug 31)
    - RE: automatic rtbh trigger using flow data Ryan Hamel (Aug 31)
    - Re: automatic rtbh trigger using flow data H I Baysal (Aug 31)
    - Re: automatic rtbh trigger using flow data Roland Dobbins (Aug 31)
    - RE: automatic rtbh trigger using flow data Michel Py (Aug 31)
    - RE: automatic rtbh trigger using flow data Lotia, Pratik M (Aug 31)
    - Re: automatic rtbh trigger using flow data Roland Dobbins (Aug 31)
    - RE: automatic rtbh trigger using flow data Lotia, Pratik M (Aug 31)
    - RE: automatic rtbh trigger using flow data Aaron Gould (Aug 31)
    - Re: automatic rtbh trigger using flow data Hugo Slabbert (Aug 31)