mitigate UDP flood

m4rtin · 10-17-2012, 06:42 AM

Am I correct that one of the best ways to mitigate UDP DDoS is to ask my ISP to configure firewall which drops all the UDP traffic to IP's allocated to me expect certain ports like 53(DNS), 123(NTP) and rate-limit traffic to those certain UDP ports? This means that traffic reaches their network, but does not reach my link with my ISP and thus does not congest it?

acid_kewpie · 10-17-2012, 06:46 AM

well yes, but can your ISP do that??

m4rtin · 10-17-2012, 07:12 AM

Quote:

Originally Posted by acid_kewpie

well yes, but can your ISP do that??

yes, they can for a monthly fee. I thought that this is a standard service for colocation services

acid_kewpie · 10-17-2012, 07:19 AM

Ahh right, fair enough on a colo. But is that actually the ISP doing that though? That sounds like what the colo host would provide, and they'll be on your side of a pipe being delivered... So yes, you can't configure a firewall to stop things hitting it in the first place.