nanog mailing list archives

Re: UDP port 80 DDoS attack

From: John Kristoff <jtk () cymru com>
Date: Fri, 10 Feb 2012 10:53:49 -0600

On Sun, 5 Feb 2012 18:36:13 -0500
Ray Gasnick III <rgasnick () milestechnologies com> wrote:

Only solution thus far was to dump the victim IP address in our block
into the BGP Black hole community with one of our 2 providers and
completely stop advertising to the other.


Drew mentioned udp.pl and I also it could have been this script running
on some compromised Unix-based host(s) as well.  If the traffic did not
appear to be widely distributed, that is, not spoofed, then this is
even more likely.  If that was the case, filtering based on the sender
address(es) may help better mitigate the attack without taking the
target entirely offline for everyone else.

John

Current thread:

Re: UDP port 80 DDoS attack, (continued)
- - - Re: UDP port 80 DDoS attack Keegan Holley (Feb 05)
    - Re: UDP port 80 DDoS attack Steve Bertrand (Feb 05)
    - Re: UDP port 80 DDoS attack Jeff Wheeler (Feb 05)
    - Re: UDP port 80 DDoS attack dennis (Feb 06)
    - Re: UDP port 80 DDoS attack Sven Olaf Kamphuis (Feb 06)
    - Re: UDP port 80 DDoS attack Jeff Wheeler (Feb 06)
    - Re: UDP port 80 DDoS attack Keegan Holley (Feb 06)
    - Re: UDP port 80 DDoS attack Joe Greco (Feb 07)
    - RE: UDP port 80 DDoS attack George Bonser (Feb 07)
- Re: UDP port 80 DDoS attack Matthew Palmer (Feb 05)
- Re: UDP port 80 DDoS attack John Kristoff (Feb 10)