IPv6 QUIC traffic

Jared Mauch jared at puck.nether.net
Thu Jun 4 19:55:30 CEST 2015


> On Jun 4, 2015, at 1:28 PM, Damian Menscher <damian at google.com> wrote:
> 
> You don't need to block all UDP to filter DDoS traffic.  Rate-limiting traffic from the specific ports you mentioned (123, 53, 1900, 19, 161) is sufficient.  Given QUIC traffic always uses a high-numbered ephemeral port, there's little risk of impact to it if you rate-limit only those ports commonly used for amplification.

Not really since ~46% of DNS amplifiers respond with non udp-53 port.

http://openresolverproject.org/breakdown.cgi

Last week it was 9.7m hosts.

- Jared




More information about the ipv6-ops mailing list