On Aug 2, 2013 10:31 AM, <sgraun@airstreamcomm.net> wrote:
I’m curious to know what other service providers are doing to
alleviate/prevent ddos attacks from happening in your network. Are you completely reactive and block as many addresses as possible or null0 traffic to the effected host until it stops or do you block certain ports to prevent them. What’s the best way people are dealing with them?
Scott
I am strongly considering having my upstreams to simply rate limit ipv4 UDP. It is the simplest solution that is proactive. The facts are that during steady state less than 5% of my aggregate traffic is ipv4 udp. During an attack, 100% of the attack traffic is ipv4 udp (dns, chargen, whatever). The attacks last for about 10 minutes, so manual intervention is not possible. Automated intervention has its own warts. Conclusion: ipv4 udp is a toxic dump. It is a shame that DNS (can be tcp), webrtc (should be sctp), and Google's QUIC are going to suffer the rate limited fate. My advice to them is to get aways from ipv4 udp, the problem is getting worse not better. CB