On Wed, Aug 19, 2015 at 12:53 PM, Smith, Donald < [email protected]> wrote:
> Thanks John, and universities are their own ISP sort of so I see how you > relate this. > > But I am not sure that supports their original statement about ISPs > limiting udp. > I have discussed this with several large ISPs. So far I haven't heard > anyone advocating rate limiting UDP as a protocol. > Now udp:123 upd:1900 yes, many of us are or will be rate limiting those. > > Things like udp:1900, a lan protocol, could even in theory even be > dropped. I know of no valid use of it over the Internet. > RIPv1 same it is depreciated. > > However if they just said some networks may rate limit udp ... it would > still cover the basic concept without making any false claims. > If our enterprise started seeing a lot of udp reflective attacks I would > recommend this approach if we could limit it to a specific set of ports. > US CERT via a reference to Level3 has suggested that you may want to add UDP 111 to your list. https://www.us-cert.gov/ncas/alerts/TA14-017A http://blog.level3.com/security/a-new-ddos-reflection-attack-portmapper-an-early-warning-to-the-industry/ The larger point being, you can have an ever growing constantly maintained list of after-the-fact ports that cause problems. Or, you can come to the conclusion that UDP is broadly abused >From the Level3 blog: "Global portmap traffic grew by a factor of 22x when comparing the last 7 days of June with the 7 days, ending August 12. Clearly the success of using this method for attacks is growing aggressively. " This fits in-line with what the I-D says: have a baseline for UDP and enforce it (providing a healthy margin of growth, which is well below 22x.) CB > H8Hz > [email protected] > > > > From: John Kristoff [[email protected]] > Sent: Wednesday, August 19, 2015 1:38 PM > To: Smith, Donald > Cc: George, Wes; Ca By; [email protected]; > [email protected] > Subject: Re: [OPSEC] draft-byrne-opsec-udp-advisory > > > Hi Don, > > On Wed, 19 Aug 2015 19:06:25 +0000 > "Smith, Donald" <[email protected]> wrote: > > > I am not aware of anyone rate-limiting UDP itself. Specific ports > > using UDP yes but not UDP as a protocol. > > As a specific IP protocol, it happens and it has happened. And not > just with UDP. If you're not on NANOG, I described what was done in > a university environment I was at years ago: > > <https://mailman.nanog.org/pipermail/nanog/2015-July/078010.html> > > While perhaps not on transit networks, some networks have UDP dropped > by their upstream(s) or at their own "border", primarily as a means to > mitigate all the UDP-based amplified reflection traffic they might > otherwise have to carry. > > Its not very elegant perhaps, but it does happen and seemingly the > trade-off some find to be worth it. > > John > This communication is the property of CenturyLink and may contain > confidential or privileged information. Unauthorized use of this > communication is strictly prohibited and may be unlawful. If you have > received this communication in error, please immediately notify the sender > by reply e-mail and destroy all copies of the communication and any > attachments. >
_______________________________________________ OPSEC mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsec
