I should've "qualified" my question by saying "What valid application which traverses the Internet and could be seen at the edge of a network actually uses UDP 80?"
I can't imagine there is too much Cisco NAC client for macs carrying on over the Internet, although I have been wrong in the past. -Drew -----Original Message----- From: Michael Costello [mailto:mc3...@columbia.edu] Sent: Wednesday, December 08, 2010 11:59 AM To: nanog@nanog.org Subject: Re: Over a decade of DDOS--any progress yet? On Wed, 8 Dec 2010 11:13:01 -0500 Drew Weaver <drew.wea...@thenap.com> wrote: > The most common attacks that I have seen over the last 12 months, and > let's say I have seen a fair share have been easily detectable by the > source network. > > It is either protocol 17 (UDP) dst port 80 or UDP Fragments (dst port > 0..) > > What valid application actually uses UDP 80? The Cisco NAC client for Macs, for the purpose of "VLAN change detection", sends UDP/80 packets to the host's reversed default gateway (i.e., if the actual gateway is 1.2.3.4, it sends the packets to 4.3.2.1) once every five seconds. mc