On Wed, Aug 19, 2015 at 12:53 PM, Smith, Donald < [email protected]> wrote:
> Thanks John, and universities are their own ISP sort of so I see how you > relate this. > > But I am not sure that supports their original statement about ISPs > limiting udp. > I have discussed this with several large ISPs. So far I haven't heard > anyone advocating rate limiting UDP as a protocol. > Now udp:123 upd:1900 yes, many of us are or will be rate limiting those. > > As an edge network provider, i rely on my upstream backbone provide to stop my attachment circuit from getting saturated with UDP junk. Unfortunately, my upstream also sells a DDoS protection service and network based firewall service which cost north of 10x what i normally pay per meg. When i provide them with a list of ports, and then add some ports later, they refer me to said expensive products. If i give them a one-liner policer for UDP, then there is nothing much for me or them to manage. We have not discussed in 2 years in fact. > Things like udp:1900, a lan protocol, could even in theory even be > dropped. I know of no valid use of it over the Internet. > RIPv1 same it is depreciated. > > And Chargen, and SNMP, and ... > However if they just said some networks may rate limit udp ... it would > still cover the basic concept without making any false claims. > If our enterprise started seeing a lot of udp reflective attacks I would > recommend this approach if we could limit it to a specific set of ports. > > H8Hz > [email protected] > > > > From: John Kristoff [[email protected]] > Sent: Wednesday, August 19, 2015 1:38 PM > To: Smith, Donald > Cc: George, Wes; Ca By; [email protected]; > [email protected] > Subject: Re: [OPSEC] draft-byrne-opsec-udp-advisory > > > Hi Don, > > On Wed, 19 Aug 2015 19:06:25 +0000 > "Smith, Donald" <[email protected]> wrote: > > > I am not aware of anyone rate-limiting UDP itself. Specific ports > > using UDP yes but not UDP as a protocol. > > As a specific IP protocol, it happens and it has happened. And not > just with UDP. If you're not on NANOG, I described what was done in > a university environment I was at years ago: > > <https://mailman.nanog.org/pipermail/nanog/2015-July/078010.html> > > While perhaps not on transit networks, some networks have UDP dropped > by their upstream(s) or at their own "border", primarily as a means to > mitigate all the UDP-based amplified reflection traffic they might > otherwise have to carry. > > Its not very elegant perhaps, but it does happen and seemingly the > trade-off some find to be worth it. > > John > This communication is the property of CenturyLink and may contain > confidential or privileged information. Unauthorized use of this > communication is strictly prohibited and may be unlawful. If you have > received this communication in error, please immediately notify the sender > by reply e-mail and destroy all copies of the communication and any > attachments. >
_______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
