Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

[Jared Mauch <jared () puck nether net>]

> On Sep 23, 2016, at 5:39 PM, Hugo Slabbert <hugo () slabnet com> wrote:
>
> If the attackers were hitting the GRE tunnel destination and spoofing the tunnel source that would make things 
> harder, but that's starting to get into rather intimate knowledge of the scrubber's and customer's setup.  I could 
> still probably filter on e.g. TTLs or drop GRE further up to the northern edge on input rather than output, but 
> agreed that is starting to get trickier...

My experiences are that under duress most people make poor choices and don’t properly filter these types of traffic.  

How many times have you turned off a filter to debug something?  Making a tunnel work is trickier than it seems and not 
all devices can terminate them.

In Cisco IOS land, you also have to have an Ip address on the tunnel for it to handle IP traffic, even if it’s “ip 
unnumbered”.

My guess is someone terminates on their P2P link to carrier, and that is easy enough to find w/ traceroute/mtr.

- Jared