[afnog] DDOS amplification
Frank Habicht
geier at geier.ne.tz
Wed Mar 16 07:10:53 UTC 2016
Hi all,
working with a client to stop their device (on our connectivity, with
our IP) from participating in DDOS.
In this case chargen (udp:19)
Before (earlier today) there was good amplification, now they changed
something.
I did this test:
nc -u <customer-ip> 19 <<< ''
and my tcpdump says:
tcpdump -nne host <customer-ip>
09:59:50.639511 6c:ae:8b:5a:4c:90 > 40:a6:77:95:35:2b, ethertype IPv4
(0x0800), length 43: <my-ip>.33404 > <customer-ip>.19: UDP, length 1
09:59:50.641250 40:a6:77:95:35:2b > 6c:ae:8b:5a:4c:90, ethertype IPv4
(0x0800), length 71: <customer-ip> > <my-ip>: ICMP 41.188.142.123 udp
port 19 unreachable, length 37
So if my calculation is right, a 29-byte IP packet gets responded with a
57-byte IP packet.
Still amplifying.
IIRC in earlier cases the udp:19 packets were just dropped silently.
I have the feeling it is much better to silently drop, and I should get
the client to also do that.
Any input/concerns?
Thanks,
Frank
More information about the afnog
mailing list