On Monday, 20 August, 2012 00:07:43 Simon Hobson wrote: > The other issue if it's UDP traffic is that the source addresses are > probably spoofed anyway. It depends on the network infrastructure at > the attacking end, but it's often easy to send traffic with spoofed > source addresses. Even if the site admin's gateway routers are > configured to drop "out of subnet" traffic (as mine are), that still > gives the attacker a block to use - hence the suggestion to drop > netblocks rather than individual IPs. If neither the site admin nor > their ISP apply any source filtering, then in effect the attacker has > the full IPv4 address range to throw at you.
It is all UDP traffic, so I am sure these IPs are being spoofed. Seems like the solution then would be for the ISP to block all incoming UDP except on 53? At least until the DDoS is over. I guess UDP is stateless so his ISP's machines wouldn't know an incoming DNS was requested, so the port has to be left open. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
