IPv6 QUIC traffic
Jared Mauch
jared at puck.nether.net
Thu Jun 4 19:55:30 CEST 2015
> On Jun 4, 2015, at 1:28 PM, Damian Menscher <damian at google.com> wrote:
>
> You don't need to block all UDP to filter DDoS traffic. Rate-limiting traffic from the specific ports you mentioned (123, 53, 1900, 19, 161) is sufficient. Given QUIC traffic always uses a high-numbered ephemeral port, there's little risk of impact to it if you rate-limit only those ports commonly used for amplification.
Not really since ~46% of DNS amplifiers respond with non udp-53 port.
http://openresolverproject.org/breakdown.cgi
Last week it was 9.7m hosts.
- Jared
More information about the ipv6-ops
mailing list