nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

From: Damian Menscher via NANOG <nanog () nanog org>
Date: Mon, 27 Jan 2020 17:49:18 -0800
On Mon, Jan 27, 2020 at 5:43 PM Töma Gavrichenkov <ximaera () gmail com> wrote:


On Tue, Jan 28, 2020, 4:32 AM Damian Menscher <damian () google com> wrote:


On Mon, Jan 27, 2020 at 5:10 PM Töma Gavrichenkov <ximaera () gmail com>
wrote:


If this endpoint doesn't connect to anything outside of their network,
then yes.
If it does though, the design of the filter might become more
complicated.



Not really... just requires sorting by volume.  Turns out most legitimate
hosts don't send high-volume syn packets. ;)



This is a good *detection* technique, but you cannot filter by volume in
transit if the set of destinations is large (and random) enough, and you
don't have a time machine.  Not sure if this is the case but might as well
be.



They don't need to filter by destination.  Once a problem customer has been
identified, they can apply an ACL restricting them to only originate IPs
they own.  This was all covered in my talk at NANOG last year:
https://pc.nanog.org/static/published/meetings//NANOG76/daily/day_2.html#talk_1976

As for the detection of the real source, everything is technically possible

but you need certain bargaining power which a medium-sized (at best) VPN
service probably doesn't have.



True, but there are ways around that, including public shaming (here), or
involving law enforcement.

Damian
Previous By Date Next
Previous By Thread Next

Current thread: