[afnog] DDOS amplification

Frank Habicht geier at geier.ne.tz
Wed Mar 16 07:10:53 UTC 2016


Hi all,

working with a client to stop their device (on our connectivity, with
our IP) from participating in DDOS.

In this case chargen (udp:19)

Before (earlier today) there was good amplification, now they changed
something.

I did this test:
nc -u <customer-ip> 19 <<< ''

and my tcpdump says:
tcpdump -nne host <customer-ip>
09:59:50.639511 6c:ae:8b:5a:4c:90 > 40:a6:77:95:35:2b, ethertype IPv4
(0x0800), length 43: <my-ip>.33404 > <customer-ip>.19: UDP, length 1
09:59:50.641250 40:a6:77:95:35:2b > 6c:ae:8b:5a:4c:90, ethertype IPv4
(0x0800), length 71: <customer-ip> > <my-ip>: ICMP 41.188.142.123 udp
port 19 unreachable, length 37


So if my calculation is right, a 29-byte IP packet gets responded with a
57-byte IP packet.
Still amplifying.

IIRC in earlier cases the udp:19 packets were just dropped silently.

I have the feeling it is much better to silently drop, and I should get
the client to also do that.

Any input/concerns?

Thanks,
Frank



More information about the afnog mailing list