Re: udp fragments, 1472 bytes payload

[Marshall Eubanks <tme () multicasttech com>]

On Aug 15, 2007, at 2:01 AM, Leigh Porter wrote:

> LOL!
>
> I guess if they are from different source addresses, varying UDP  
> ports etc and the total bandwidth in infeasible for a typical video  
> stream..

I was quite serious.

I run a video streaming site, AmericaFree.TV.
Most of our packets are 1450 bytes, because that is the limit set to  
avoid MTU issues. (We also multicast, with the same packet size, and  
tunnels can be an MTU issue.)

We from time to time get emails claiming that rogue machines here are  
conducting a DOS against some network, please stop, etc. Upon  
investigation, every one of these has been someone (or several  
someones) joining a unicast video stream and watching the 3 Stooges  
or another video program, as shown by my server logs.

But, you do raise a good point :

_Are_ these packets from different ports, different IP addresses ?
What is the total bandwidth consumed ?

Are they truly packet fragments ?

> Thankfully it sounds quite easy to build a filter for.

Just please don't filter out all video !

> --
> Leigh

Regards
Marshall

> Marshall Eubanks wrote:
> > Are you sure you don't have a customer watching streaming video ?
> >
> > Regards
> > Marshall
> >
> >
> > On Aug 14, 2007, at 7:20 PM, Miguel Mata wrote:
> >
> > > I'm being attacked with UDP fragments having a payload 1472  
> > > bytes. Seems
> > > like a DDoS that only likes to suck bandwidth.
> > >
> > > Anyone on the same coaster? drop me a line.
> > >
> > >
> > > --
> > > Miguel Mata
> > > Gerente de Operaciones
> > > Intercom El Salvador
> > > mmata () intercom com sv
> > > voz: ++(503) 2278-5068
> > > fax: ++(503) 2265-7024
> > >
> > > "Intercom, sus Telecomunicaciones en buenas manos"