North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: 80/udp floods?

  • From: Deepak Jain
  • Date: Wed Feb 18 20:06:26 2004

Wayne E. Bouchard wrote:

Yes, this seems to be a common thing these days. You send udp/LAGE udp
packets and fragments to port 80 to saturate bandwidth and you combine
that with compromised hosts successively opening and closing TCP
connections to port 80 (Not a syn flood, actual connections that look
to the router in terms of packet size etc to be legitimate.) A note
that the majority of these hosts are from LACNIC and APNIC
space. (with a smattering from RIPE) I almost never see ARIN address
space used for these compromised hosts.

Most of the attacks I've seen recently have used this setup.

Easy enough to fend off except for the TCP 80 bit. For most of these
attacks, I've taken to just filtering the entire LACNIC and APNIC
address delegations at the host level for the durration of the
incident since, in the general case, my customers (the ones that
suffer these incidents) do little if any business in that region.
We've seen >1Gb/s connection filling attacks from ARIN space, especially 24.x blocks.


Deepak Jain