Re: automatic rtbh trigger using flow data

[Hugo Slabbert <hugo () slabnet com>]

On Sun 2018-Sep-02 10:09:32 +0700, Roland Dobbins <rdobbins () arbor net> wrote:

> On 1 Sep 2018, at 1:43, Hugo Slabbert wrote:
>
> > Generally on the TCP side you can try SYN or ACK floods, but you're 
> > not going to get an amplified reflection.
>
> Actually, TCP reflection/amplification has been on the increase; the 
> attacker is guaranteed at least 4:1 amplification in most 
> circumstances, the number of reflectors/amplifiers is for all 
> practical purposes infinite, and they're mostly legitimate, 
> non-broken services/applications.

Fair.  I guess in terms of common reflect/amp vector at $dayjob we just see 
UDP-based significantly more frequently on large volumetric attacks given 
the amp factor on some vectors is so huge.

Some relevant reading I need to revisit:
https://www.usenix.org/sites/default/files/conference/protected-files/woot14_slides_kuhrer.pdf
https://www.usenix.org/system/files/conference/woot14/woot14-kuhrer.pdf

> And as always, it's important to note that with all 
> reflection/amplification attacks, the root of the issue is the lack of 
> universal source-address validation (SAV).  Without the ability to spoof, 
> there would be no reflection/amplification attacks.

ACK, pun intended.

> -----------------------------------
> Roland Dobbins <rdobbins () arbor net>

--
Hugo Slabbert       | email, xmpp/jabber: hugo () slabnet com
pgp key: B178313E   | also on Signal

Attachment: signature.asc
Description: Digital signature