i have seen many udp/80 floods as well... pretty common.
John van Oppen Spectrum Networks / AS11404 ________________________________________ From: Dobbins, Roland [rdobb...@arbor.net] Sent: Tuesday, September 06, 2011 1:00 AM To: North American Network Operators' Group Subject: Re: DDoS - CoD? On Sep 6, 2011, at 2:53 PM, BH wrote: > Has anyone seen similar traffic before? I I've seen DDoS traffic on UDP/80 as far back as 2002 - the miscreants often don't know a lot about TCP/IP, and if something happens to work once, they incorporate it into their attack tool defaults and keep using it over and over. In several recent high-profile DDoS attacks, UDP/80 traffic ended up causing state exhaustion on load-balancers, as the victim sites weren't following the BCP of enforcing network access policies via stateless ACLs in hardware-based routers/layer-3 switches, and the load-balancers kept trying to load-balance this traffic from multiple purported source IPs/source ports. ----------------------------------------------------------------------- Roland Dobbins <rdobb...@arbor.net> // <http://www.arbornetworks.com> The basis of optimism is sheer terror. -- Oscar Wilde
