[AusNOG] UDP based HTTP attack?

Matt Palmer mpalmer at hezmatt.org
Sun Sep 20 10:49:44 EST 2015


On Sun, Sep 20, 2015 at 10:01:59AM +1000, Joseph Goldman wrote:
>  One of my webservers just went under DDoS attack so before blackholing the
> IP I decided to capture some traffic - At a quick glance I could see it was
> port 80 but after firing up wireshark I saw it was all UDP - is it common to
> send UDP payloads to Port 80? I was hoping to get the URI in the request to
> know which site in particular was getting targeted, but oh well.

It's reasonably common, because there are plenty of firewall configurations
that don't do a good job of distinguishing between UDP and TCP, and so
"open port 80" becomes "open port 80 TCP *and* UDP", letting the attack
traffic get a lot further into the target than it would otherwise.

I also have a vague recollection that Google's experimental QUIC protocol
may legitimately use UDP 80, for much the same reason.

- Matt



More information about the AusNOG mailing list