Re: DDOS solution recommendation

[Valdis.Kletnieks () vt edu]

On Mon, 12 Jan 2015 18:06:57 +1100, Mark Andrews said:

> >   The ISP will very likely not see ANY traffic originating from spoofed
> > IP destined to your server.
>
> They will see the reply traffic and will see the acks increasing etc.

Assuming they think to *look* for it.

99.8% of ISPs will get a complaint "Your IP w.x.y.z is sending me spam", drop a
tap on the IP address, see no matching outbound traffic, and hit delete on the
complaint.  They will almost certainly not think to look in something like the
ICMP port unreachable packets the address is sending to some *other* address.
(Remember, the compromised relay machine has to send *very* little info back to
the actual sending box - TCP sequence numbers, maybe windows, and SMTP reply
codes that can be encoded in 1 byte or even less)

Attachment: _bin
Description: