Re: UDP port 80 DDoS attack

On Sun, 5 Feb 2012 18:36:13 -0500 Ray Gasnick III wrote: > Only solution thus far was to dump the victim IP address in our block > into the BGP Black hole community with one of our 2 providers and > completely stop advertising to the other. Drew mentioned udp.pl and I also it could have been thi

Re: UDP port 80 DDoS attack

2012/2/8 Steve Bertrand > On 2012.02.08 14:23, Drew Weaver wrote: > >> Stop paying transit providers for delivering spoofed packets to the edge >> of your network and they will very quickly develop methods of proving that >> the traffic isn't spoofed, or block it altogether. =) >> > > I firmly be

Re: UDP port 80 DDoS attack

On 2012.02.08 14:23, Drew Weaver wrote: Stop paying transit providers for delivering spoofed packets to the edge of your network and they will very quickly develop methods of proving that the traffic isn't spoofed, or block it altogether. =) I firmly believe in this recourse, amongst others..

RE: UDP port 80 DDoS attack

heir facilities :P (yes leaseweb, that means you ;) -Original Message- From: George Bonser [mailto:gbon...@seven.com] Sent: Wednesday, February 08, 2012 1:27 PM To: bas; nanog Subject: RE: UDP port 80 DDoS attack 77% of all networks seem to think so. http://spoofer.csail.mit.edu/su

Re: UDP port 80 DDoS attack

In message <596b74b410ee6b4ca8a30c3af1a155ea09cbe...@rwc-mbx1.corp.seven.com>, G eorge Bonser writes: > > > > -Original Message- > > From: christopher.morrow > >=20 > > to be fair: "Some Providers do not check registries for 'right to use' > > information about prefixes their customers w

RE: UDP port 80 DDoS attack

> -Original Message- > From: christopher.morrow > > to be fair: "Some Providers do not check registries for 'right to use' > information about prefixes their customers wish to announce to them > over BGP." Maybe not but I would think that in practice it would be something like: 1. Prov

RE: UDP port 80 DDoS attack

t: Sunday, February 05, 2012 6:47 PM To: nanog@nanog.org Subject: Re: UDP port 80 DDoS attack Hi. We had a customer that was attacked by the same "game server feature". We received aprox 10 Gbit of traffic against the customer. The attacker sends spoofed packets to the game ser

RE: UDP port 80 DDoS attack

Sent: Wednesday, February 08, 2012 1:27 PM To: bas; nanog Subject: RE: UDP port 80 DDoS attack > 77% of all networks seem to think so. > http://spoofer.csail.mit.edu/summary.php And it would be the remaining 23% that really need to understand how difficult they are making life for the rest of t

Re: UDP port 80 DDoS attack

2012/2/8 George Bonser > > 77% of all networks seem to think so. > > http://spoofer.csail.mit.edu/summary.php > > And it would be the remaining 23% that really need to understand how > difficult they are making life for the rest of the Internet. > 23% of 4.29 billion addresses is still more than

RE: UDP port 80 DDoS attack

> 77% of all networks seem to think so. > http://spoofer.csail.mit.edu/summary.php And it would be the remaining 23% that really need to understand how difficult they are making life for the rest of the Internet. > However the remaining networks allow spoofed traffic to egress their > networks.

Re: UDP port 80 DDoS attack

2012/2/8 Dobbins, Roland > On Feb 8, 2012, at 8:07 PM, bas wrote: > > > As far as I see it S/RTBH is in no way a solution against smart > attackers, of course it does help against all the kiddie attacks out > > there. > > Once again, I've used S/RTBH myself and helped others use it many, many > t

Re: UDP port 80 DDoS attack

On Wed, Feb 8, 2012 at 10:12 AM, Keegan Holley wrote: > Providers don't even check the registries for bgp advertisements. See the > thread on hijacked routes for proof.   Not to mention how do you handle a > small transit AS?  Do you trust that they to be fair: "Some Providers do not check regi

Re: UDP port 80 DDoS attack

On Feb 8, 2012, at 4:51 AM, George Bonser wrote: > > >> From: Keegan Holley >> Subject: Re: UDP port 80 DDoS attack > >> It works in theory, but to get every ISP and hosting provider to ACL their >> edges and maintain those ACL's for every customer

Re: UDP port 80 DDoS attack

Providers don't even check the registries for bgp advertisements. See the thread on hijacked routes for proof. Not to mention how do you handle a small transit AS? Do you trust that they have the correct filters as well? Do you start reading their AS paths and try to filter based on the regi

Re: UDP port 80 DDoS attack

On Feb 8, 2012, at 8:07 PM, bas wrote: > As far as I see it S/RTBH is in no way a solution against smart attackers, of > course it does help against all the kiddie attacks out > there. Once again, I've used S/RTBH myself and helped others use it many, many times, including to defend against att

Re: UDP port 80 DDoS attack

On Wed, Feb 8, 2012 at 9:29 AM, Dobbins, Roland wrote: > > On Feb 8, 2012, at 2:56 PM, bas wrote: > >> The big drawback with S/RTBH is that it is a DoS method in itself. > > I'm not an advocate of *automated* S/RTBH, and I am an advocate of > whitelisting various well-known 'golden networks/IPs'

Re: UDP port 80 DDoS attack

On Wed, Feb 8, 2012 at 10:56 AM, George Bonser wrote: > I'll put it another way. Any provider that does not police their customer > traffic has no business whining about DoS problems. Most of us prevent their customers from sending out spoofed traffic. 77% of all networks seem to think so. http

RE: UDP port 80 DDoS attack

> No, we have registries to act as registries, the ISPs should be > checking them, and double checking. It isn't something that is going > to change every day or every week. Once you get it set up, it is going > to be stable for a while. Sure, it means a little more work in setting > up a custome

RE: UDP port 80 DDoS attack

>From: Keegan Holley > Subject: Re: UDP port 80 DDoS attack > It works in theory, but to get every ISP and hosting provider to ACL their > edges and maintain those ACL's for every customer no matter how large might > be a bit difficult.  You don't have to ACL in

Re: UDP port 80 DDoS attack

It works in theory, but to get every ISP and hosting provider to ACL their edges and maintain those ACL's for every customer no matter how large might be a bit difficult. Also, what about non-BGP customers or customers that just accept a default route? Or even customers that just want return traff

RE: UDP port 80 DDoS attack

>From: Keegan Holley >How do you stop it?  A provider knows what destination IP traffic they route TO a customer, don't they? That should be the only source IPs they accept FROM a customer. If you don't route it TO the customer, you shouldn't accept it FROM the customer unless you have m

Re: UDP port 80 DDoS attack

2012/2/8 George Bonser > > > > -Original Message- > > From: bas > > Sent: Tuesday, February 07, 2012 11:56 PM > > To: Dobbins, Roland; nanog > > Subject: Re: UDP port 80 DDoS attack > > > > Say eyeball provider X has implemented automa

Re: UDP port 80 DDoS attack

On Feb 8, 2012, at 2:56 PM, bas wrote: > The big drawback with S/RTBH is that it is a DoS method in itself. I'm not an advocate of *automated* S/RTBH, and I am an advocate of whitelisting various well-known 'golden networks/IPs' via prefix-lists in order to avoid this issue in part; also, note

RE: UDP port 80 DDoS attack

> -Original Message- > From: bas > Sent: Tuesday, February 07, 2012 11:56 PM > To: Dobbins, Roland; nanog > Subject: Re: UDP port 80 DDoS attack > > Say eyeball provider X has implemented automated S/RTBH, and I have a > grudge against them. > I would

Re: UDP port 80 DDoS attack

Roland, On Mon, Feb 6, 2012 at 2:43 AM, Dobbins, Roland wrote: > > S/RTBH can be rapidly shifted in order to deal with changing purported source > IPs, and it isn't limited to /32s. The big drawback with S/RTBH is that it is a DoS method in itself. Say eyeball provider X has implemented automat

RE: UDP port 80 DDoS attack

> Of course it's not possible ... if you use a crummy design. It's > trivial to come up with non-completely-crummy designs. For example, > adding a front-end where you take a hash of source-ip/dest-ip and run > it through a smallish hash table, you can use that as a filter to > eliminate a lot of

Re: UDP port 80 DDoS attack

> Since when are policers implemented in ram? You're talking FPGA if you > want to be able to make forwarding/filtering decisions assuming it's > possible which it isn't you're 1 million dollar boxes suddenly become > hundred million dollar boxes. Then there's v6 info.. Of course it's not possib

Re: UDP port 80 DDoS attack

2012/2/6 Jeff Wheeler > On Mon, Feb 6, 2012 at 8:43 PM, Sven Olaf Kamphuis > wrote: > > there is a fix for it, it's called "putting a fuckton of ram in -most- > > routers on the internet" and keeping statistics for each destination > > ip:destination port:outgoing interface so that none of them

Re: UDP port 80 DDoS attack

On Mon, Feb 6, 2012 at 8:43 PM, Sven Olaf Kamphuis wrote: > there is a fix for it, it's called "putting a fuckton of ram in -most- > routers on the internet" and keeping statistics for each destination > ip:destination port:outgoing interface so that none of them individually can > (entirely/proce

Re: UDP port 80 DDoS attack

It also isn't as widely supported as it should be. I never said DDOS was hopeless, there just aren't a wealth of defenses against it. there is a fix for it, it's called "putting a fuckton of ram in -most- routers on the internet" and keeping statistics for each destination ip:destination port:

Re: UDP port 80 DDoS attack

and Arbor. -- From: "Keegan Holley" Sent: Sunday, February 05, 2012 8:37 PM To: "Dobbins, Roland" Cc: "NANOG Group" Subject: Re: UDP port 80 DDoS attack 2012/2/5 Dobbins, Roland On Feb 6, 2012, at 8:10 AM, Keegan Holley wrote: > An entire power poin

Re: UDP port 80 DDoS attack

On Sun, Feb 5, 2012 at 10:08 PM, Steve Bertrand wrote: > This is so very easily automated. Even if you don't actually want to trigger > the routes automatically, finding the sources you want to blackhole is as What transit providers are doing flow-spec, or otherwise, to allow their downstreams to

Re: UDP port 80 DDoS attack

On 2012.02.05 22:30, Keegan Holley wrote: > 2012/2/5 Steve Bertrand On 2012.02.05 20 :37, Keegan Holley wrote: Source RTBH often falls victim to rapidly changing or spoofed source IP"s. It also isn't as widely supported as it should be. I never said DDOS was

Re: UDP port 80 DDoS attack

2012/2/5 Steve Bertrand > On 2012.02.05 20:37, Keegan Holley wrote: > >> 2012/2/5 Dobbins, Roland >> > > S/RTBH - as opposed to D/RTBH - doesn't kill the patient. Again, suggest >>> you read the preso. >>> >>> >> Source RTBH often falls victim to rapidly changing or spoofed source IP"s. >> It a

Re: UDP port 80 DDoS attack

On 2012.02.05 20:37, Keegan Holley wrote: 2012/2/5 Dobbins, Roland S/RTBH - as opposed to D/RTBH - doesn't kill the patient. Again, suggest you read the preso. Source RTBH often falls victim to rapidly changing or spoofed source IP"s. It also isn't as widely supported as it should be. I ne

Re: UDP port 80 DDoS attack

On Feb 6, 2012, at 8:50 AM, Keegan Holley wrote: > Yes but assuming everything discussed at a conference is instantly adopted by > the entire industry gives one false hope no? I'm certainly not making that assumption - hence the presos. ;> -

Re: UDP port 80 DDoS attack

2012/2/5 Dobbins, Roland > > On Feb 6, 2012, at 8:37 AM, Keegan Holley wrote: > > > Source RTBH often falls victim to rapidly changing or spoofed source > IP"s. > > S/RTBH can be rapidly shifted in order to deal with changing purported > source IPs, and it isn't limited to /32s. It's widely supp

Re: UDP port 80 DDoS attack

On Feb 6, 2012, at 8:37 AM, Keegan Holley wrote: > Source RTBH often falls victim to rapidly changing or spoofed source IP"s. S/RTBH can be rapidly shifted in order to deal with changing purported source IPs, and it isn't limited to /32s. It's widely supported on Cisco and Juniper gear (flow

Re: UDP port 80 DDoS attack

2012/2/5 Dobbins, Roland > > On Feb 6, 2012, at 8:10 AM, Keegan Holley wrote: > > > An entire power point just to recommend ACL's, uRPF, CPP, DHCP snooping, > and RTBH? > > Actually, no, that isn't the focus of the preso. > > > The first four will not work against a DDOS attack > > This is incorr

Re: UDP port 80 DDoS attack

On Feb 6, 2012, at 8:20 AM, Dobbins, Roland wrote: > Actually, no, that isn't the focus of the preso. More info here: --- Roland Dobbins //

Re: UDP port 80 DDoS attack

On Feb 6, 2012, at 8:10 AM, Keegan Holley wrote: > An entire power point just to recommend ACL's, uRPF, CPP, DHCP snooping, and > RTBH? Actually, no, that isn't the focus of the preso. > The first four will not work against a DDOS attack This is incorrect - suggest you read the preso. > and

Re: UDP port 80 DDoS attack

An entire power point just to recommend ACL's, uRPF, CPP, DHCP snooping, and RTBH? The first four will not work against a DDOS attack and the last one just kills the patient so he does not infect other patients. As I said earlier beyond traffic scrubbing offsite there isn't much defense against D

Re: UDP port 80 DDoS attack

On Feb 6, 2012, at 7:21 AM, Keegan Holley wrote: > There aren't very many ways to combat DDOS. Start with the various infrastructure/host/service BCPs, and S/RTBH, as outlined in this preso:

Re: UDP port 80 DDoS attack

On Sun, Feb 05, 2012 at 06:36:13PM -0500, Ray Gasnick III wrote: > We just saw a huge flux of traffic occur this morning that spiked one of > our upstream ISPs gear and killed the layer 2 link on another becuase of a > DDoS attack on UDP port 80. Yep, we've got a customer who's been hit with it a

Re: UDP port 80 DDoS attack

There aren't very many ways to combat DDOS. That's why it's so popular. Some ISP's partner with a company that offers a tunnel based scrubbing service where they DPI all your traffic before they send it to you. If you only have a few upstreams it may be helpful to you. I spoke to them last year

Re: UDP port 80 DDoS attack

Hi. We had a customer that was attacked by the same "game server feature". We received aprox 10 Gbit of traffic against the customer. The attacker sends spoofed packets to the game server with the target IP as "source", the gameserver sends replies back via UDP to the target host. The attacker se

UDP port 80 DDoS attack

We just saw a huge flux of traffic occur this morning that spiked one of our upstream ISPs gear and killed the layer 2 link on another becuase of a DDoS attack on UDP port 80. Wireshark shows this appears to be from a compromised game server (call of duty) with source IPs in a variety of diff