I should've "qualified" my question by saying "What valid application which 
traverses the Internet and could be seen at the edge of a network actually uses 
UDP 80?"

I can't imagine there is too much Cisco NAC client for macs carrying on over 
the Internet, although I have been wrong in the past.

-Drew


-----Original Message-----
From: Michael Costello [mailto:mc3...@columbia.edu] 
Sent: Wednesday, December 08, 2010 11:59 AM
To: nanog@nanog.org
Subject: Re: Over a decade of DDOS--any progress yet?

On Wed, 8 Dec 2010 11:13:01 -0500
Drew Weaver <drew.wea...@thenap.com> wrote:

> The most common attacks that I have seen over the last 12 months, and
> let's say I have seen a fair share have been easily detectable by the
> source network.
> 
> It is either protocol 17 (UDP) dst port 80 or UDP Fragments (dst port
> 0..)
> 
> What valid application actually uses UDP 80?

The Cisco NAC client for Macs, for the purpose of "VLAN change
detection", sends UDP/80 packets to the host's reversed default
gateway (i.e., if the actual gateway is 1.2.3.4, it sends the packets
to 4.3.2.1) once every five seconds.

mc



Reply via email to