On 10 December 2015 at 01:48, alvin nanog <nanogml@mail.ddos-mitigator.net> wrote:
what app do yu have that talks to port 1900 ?
UDP 1900 is a "Chargen" UDP reflection attack. The DNS and NTP packets are also from a reflection attack. We filter UDP 1900 at our border. Not to protect our network from attack, although it still helps. The packets might have come down our IP transit pipes, which are high capacity, but we can still stop it from doing further damage at the smaller pipes in our access network. We filter UDP 1900 because too many of our customers run vulnerable CPE devices that can be abused as a Chargen reflector. We stop that hard by dropping UDP 1900 both ingress and egress. He is being hit with a volume based UDP reflection attack. The IP addresses are not faked. They all lead back to people that run vulnerable CPE devices, NTP servers or open DNS resolvers. Reflection attacks require that you have the ability to send out faked IP addresses. Botnets are generally unable to do that. Their max attack size is limited by the bandwidth at the server, where they have the ability to send out faked UDP packets. Keep attacking you if you do not pay is bad business. They could be attacking someone who will pay instead. No one has infinite attack bandwidth available. Regards, Baldur