many operators doing this have concentrated on common port-pairs observed in UDP reflection/amplification attacks.
Yes, because that's a great starting point.
And when we're using techniques like QoSing down certain ports/protocols, we must err on the side of caution,
Arbor report mentions volumetric attacks using DNS, NTP form 75+% of the attacks. Then QoSing certain ports and protocols is the best way to start with. ~Pratik Lotia -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Roland Dobbins Sent: Friday, August 31, 2018 11:13 AM To: NANOG list Subject: Re: automatic rtbh trigger using flow data On 31 Aug 2018, at 23:53, Lotia, Pratik M wrote:
Instead of rtbh I would suggest blocking/rate limiting common ports used in DDoS attacks.
This isn't an 'instead of', it's an 'in addition to'. And it must be done judiciously; many operators doing this have concentrated on common port-pairs observed in UDP reflection/amplification attacks. It's important to understand that any kind of packet of any protocol/ports (if such concepts apply on the protocol in question) can be used to launch DDoS attacks. We've many tools in the toolbox, and should use them in a situationally-appropriate manner. And when we're using techniques like QoSing down certain ports/protocols, we must err on the side of caution, lest we cause larger problems than the attacks themselves. ----------------------------------- Roland Dobbins <rdobbins@arbor.net> E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited.