> On Jun 4, 2015, at 1:28 PM, Damian Menscher <[email protected]> wrote: > > You don't need to block all UDP to filter DDoS traffic. Rate-limiting > traffic from the specific ports you mentioned (123, 53, 1900, 19, 161) is > sufficient. Given QUIC traffic always uses a high-numbered ephemeral port, > there's little risk of impact to it if you rate-limit only those ports > commonly used for amplification.
Not really since ~46% of DNS amplifiers respond with non udp-53 port. http://openresolverproject.org/breakdown.cgi Last week it was 9.7m hosts. - Jared
