Re: DDOS solution recommendation

[Mark Andrews <marka () isc org>]

In message <54B31BBE.3000502 () tnetconsulting net>, Grant Taylor writes:
> On 01/11/2015 03:22 PM, Mike Hammett wrote:
> > I know that UDP can be spoofed, but it's not likely that the SSH,
> > mail, etc. login attempts, web page hits, etc. would be spoofed as
> > they'd have to know the response to be of any good.
>
> I encourage you to investigate "Triangular Spamming". 
> (http://www.cs.ucr.edu/~zhiyunq/pub/oakland10_triangular_spamming.pdf) 
> The "Triangular..." technique does specifically that, allow the attacker 
> to "...know the responses...".
>
> In short, the bot receives the reply to the spoofed source IP and 
> forwards information on to the attacker so that it can continue the 
> conversation.  In effect, three parties are having a one way 
> conversation in a ring.

Just because you can only identify one of the two remotes doesn't
mean that you can't report the addresses.  It is involved in the
communication stream.

> > There's more going on than UDP spoofing\amplification. Frankly the
> > most damaging thing to me has been SMTP hijacking. For you to login
> > to my SMTP server and send e-mail out, there's going to be one hell
> > of a conversation going on.
>
> Yes, there is what appears to you to be be a conversation going on. 
> However, the source of what you are hearing is not where you think it's 
> from.

Actually it is coming from where you think it is coming from, just not
directly.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org