nanog mailing list archives
Re: DDOS solution recommendation
From: Grant Taylor <gtaylor () tnetconsulting net>
Date: Sun, 11 Jan 2015 22:14:10 -0600
On 01/11/2015 07:42 PM, Mark Andrews wrote:
Just because you can only identify one of the two remotes doesn't mean that you can't report the addresses. It is involved in the communication stream.
It is very difficult to make a case that the host with the spoofed IP address is attacking you when it is not even sending any traffic to you. The ISP will very likely not see ANY traffic originating from spoofed IP destined to your server.
So what you do know is effectively useless.
Actually it is coming from where you think it is coming from, just not directly.
No, not quite.1 - Spammer (A) sends packets to server (B) spoofing the source address of the relay (C).
(A spoofed as) C -> B 2 - Server (B) replies to relay (C) B -> C 3 - Relay (C) sends packets to spammer (A). C -> ANotice how the relay (C) is never sending packets -to- the server (B). The traffic is NOT coming from the relay (C).
This is not a case of the spammer (A) sending to the relay (C) that is then sending the traffic to the server (B).
There is no traffic originating from the relay (C) going to the server (B). Thus there is nothing to be caught by the relay's ISP ISP filter. You could even use this technique on ISPs that block outbound traffic to TCP port 25. (Like many cable / DSL providers.)
Also notice how the server (B) never knows the spammer's (A) real IP.This is very similar in concept to a Joe Job, but at the TCP layer, not the SMTP application layer.
----The point of this is that it is possible, and occurring in the wild, to spoof TCP source IP addresses. - So, don't blindly trust the source IP address used for TCP connections. - It is possible (if not practical) to spoof them and have a successfully transmission.
-- Grant. . . . unix || die
Current thread:
- Re: DDOS solution recommendation, (continued)
- Re: DDOS solution recommendation Roland Dobbins (Jan 11)
- Re: DDOS solution recommendation Mike Hammett (Jan 11)
- Re: DDOS solution recommendation Phil Bedard (Jan 11)
- Re: DDOS solution recommendation Patrick W. Gilmore (Jan 11)
- Re: DDOS solution recommendation Mike Hammett (Jan 11)
- Re: DDOS solution recommendation Patrick W. Gilmore (Jan 11)
- Re: DDOS solution recommendation Mike Hammett (Jan 11)
- Re: DDOS solution recommendation Damian Menscher (Jan 11)
- Re: DDOS solution recommendation Grant Taylor (Jan 11)
- Re: DDOS solution recommendation Mark Andrews (Jan 11)
- Re: DDOS solution recommendation Grant Taylor (Jan 11)
- Re: DDOS solution recommendation Mark Andrews (Jan 11)
- Re: DDOS solution recommendation Valdis . Kletnieks (Jan 12)
- Re: DDOS solution recommendation Brandon Ross (Jan 12)
- Re: DDOS solution recommendation Christopher Morrow (Jan 12)
- Re: DDOS solution recommendation Mike Hammett (Jan 12)
- Re: DDOS solution recommendation Christopher Morrow (Jan 12)
- Re: DDOS solution recommendation Roland Dobbins (Jan 12)
- Re: DDOS solution recommendation William F. Maton Sotomayor (Jan 12)
- Re: DDOS solution recommendation Scott Fisher (Jan 12)
- Re: DDOS solution recommendation Roland Dobbins (Jan 12)