On Feb 22, 2014 5:30 AM, "Damian Menscher" <damian@google.com> wrote:
On Fri, Feb 21, 2014 at 1:22 PM, Cb B <cb.list6@gmail.com> wrote:
On Thu, Feb 20, 2014 at 2:12 PM, Damian Menscher <damian@google.com>
On Thu, Feb 20, 2014 at 1:03 PM, Jared Mauch <jared@puck.nether.net> wrote: You may also want to look at filtering UDP/80 outright as well, as
wrote: that is
commonly used as an "I'm going to attack port 80" by attackers that don't quite understand the difference between UDP and TCP.
Please don't filter UDP/80. It's used by QUIC ( http://en.wikipedia.org/wiki/QUIC).
The folks at QUIC have been advised to not use UDP for a new protocol, and they would be very well advised to not use UDP:80 since that is a well known target port used in the DDoS reflection attacks.
Please suggest which protocol has less blocking on the internet today (keeping in mind the full end-to-end stack of CPE, various ISPs, country-level proxies, backbone providers, etc).
Damian
Tcp. But the actual answer is , if you want a new transport protocol, create a new transport protocol with a new protocol number. Overloading the clearly polluted UDP pool will have problems. Happy eyeballs negotiation may be required for L4. QUIC can do what it wants. Like anyone else, they pay their money and take their chances. But, the data point that UDP is polluted is clearly documented with several folks on this list suggesting tactical fixes that involve limiting UDP, especially udp:80