nanog mailing list archives
Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC
From: Damian Menscher via NANOG <nanog () nanog org>
Date: Mon, 27 Jan 2020 17:00:56 -0800
The victim already posted the signature to this thread: - source IP: 51.81.119.7 - protocol: 6 (tcp) - tcp_flags: 2 (syn) That alone is sufficient for Level3/CenturyLink/etc to identify the source of this abuse and apply filters, if they choose. For a more detailed explanation of how to trace and filter spoofed attacks, see my talk at NANOG last year: https://pc.nanog.org/static/published/meetings//NANOG76/daily/day_2.html#talk_1976 Damian On Mon, Jan 27, 2020 at 4:57 PM Mike Hammett <nanog () ics-il net> wrote:
How would they know what to look for? I'm assuming Sony isn't cooperating. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ------------------------------ *From: *"Ben Cannon" <ben () 6by7 net> *To: *"Mike Hammett" <nanog () ics-il net> *Cc: *"Roland Dobbins" <Roland.Dobbins () netscout com>, "NANOG Operators' Group" <nanog () nanog org> *Sent: *Monday, January 27, 2020 6:40:25 PM *Subject: *Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Transit carriers could work the flows backwards. -Ben Cannon CEO 6x7 Networks & 6x7 Telecom, LLC ben () 6by7 net On Jan 27, 2020, at 4:39 PM, Mike Hammett <nanog () ics-il net> wrote: If someone is being spoofed, they aren't receiving the spoofed packets. How are they supposed to collect anything on the attack? Offending host pretending to be Octolus -> Sony -> Real Octolus. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ------------------------------ *From: *"Roland Dobbins" <Roland.Dobbins () netscout com> *To: *"Octolus Development" <admin () octolus net> *Cc: *"Heather Schiller via NANOG" <nanog () nanog org> *Sent: *Monday, January 27, 2020 6:29:16 PM *Subject: *Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC On Jan 28, 2020, at 04:12, Octolus Development <admin () octolus net> wrote: It is impossible to find the true origin of where the spoofed attacks are coming from. This is demonstrably untrue. If you provide the requisite information to operators, they can look through their flow telemetry collection/analysis systems in order to determine whether the spoofed traffic traversed their network; if it did so, they will see where it ingressed their network. With enough participants who have this capability, it's possible to trace the spoofed traffic back to its origin network, or at least some network or networks topologically proximate to the origin network. That's what Damian is suggesting. -------------------------------------------- Roland Dobbins <roland.dobbins () netscout com>
Current thread:
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC, (continued)
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Octolus Development (Jan 10)
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Mark Milhollan (Jan 10)
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Octolus Development (Jan 10)
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Octolus Development (Jan 27)
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Damian Menscher via NANOG (Jan 27)
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Octolus Development (Jan 27)
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Dobbins, Roland (Jan 27)
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Mike Hammett (Jan 27)
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Ben Cannon (Jan 27)
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Mike Hammett (Jan 27)
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Damian Menscher via NANOG (Jan 27)
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Töma Gavrichenkov (Jan 27)
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Damian Menscher via NANOG (Jan 27)
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Töma Gavrichenkov (Jan 27)
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Töma Gavrichenkov (Jan 27)
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Damian Menscher via NANOG (Jan 27)
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Töma Gavrichenkov (Jan 27)
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Jean | ddostest.me via NANOG (Jan 28)
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Jared Mauch (Jan 27)
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Töma Gavrichenkov (Jan 27)
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Dobbins, Roland (Jan 27)