Re: Is malicious asymmetrical routing still a thing?

[William Herrin <bill () herrin us>]

On Thu, Mar 9, 2023 at 4:05 PM Grant Taylor via NANOG <nanog () nanog org> wrote:
> On 3/9/23 2:19 PM, Christopher Munz-Michielin wrote:
> > Not this exact scenario, but what we see a lot of in my VPS company is
> > people sending spam by using our VPS' source addresses, but routing
> > outbound via some kind of tunnel to a VPN provider or similar in order
> > to bypass our port 25 blocks.
>
> I'd be curious what VPN providers they are using so that I could start
> blocking them.  That seems like another player in the criminal support
> ecosystem.

If I had to put money on it, it's not VPN providers but other VPS
providers. VPN providers don't have enough business that anyone cares
about to avoid getting killed over BCP38 non-compliance.

It's trivial to turn a $5 VPS into a disposable VPN head-end that can
spray TCP SYN packets at a modest rate, and once the packet is on the
backbone somewhere in the world not only can't you do anything about
it, it's just on the near side of impossible to figure out where it
originally entered.

Unless you want to start handing out BGP AS death penalties to entire
"tier 1's" who don't instrument their reciprocal peering connections
well enough for third parties to trace the source of spoofed packets.
Which is 100% of everyone right now. That sort of instrumentation
would be darn expensive.

Regards,
Bill Herrin



-- 
For hire. https://bill.herrin.us/resume/