Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Damian Menscher via NANOG <nanog () nanog org>]

The victim already posted the signature to this thread:
  - source IP: 51.81.119.7
  - protocol: 6 (tcp)
  - tcp_flags: 2 (syn)

That alone is sufficient for Level3/CenturyLink/etc to identify the source
of this abuse and apply filters, if they choose.

For a more detailed explanation of how to trace and filter spoofed attacks,
see my talk at NANOG last year:
https://pc.nanog.org/static/published/meetings//NANOG76/daily/day_2.html#talk_1976

Damian

On Mon, Jan 27, 2020 at 4:57 PM Mike Hammett <nanog () ics-il net> wrote:

> How would they know what to look for?
>
> I'm assuming Sony isn't cooperating.
>
>
>
> -----
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> Midwest-IX
> http://www.midwest-ix.com
>
> ------------------------------
> *From: *"Ben Cannon" <ben () 6by7 net>
> *To: *"Mike Hammett" <nanog () ics-il net>
> *Cc: *"Roland Dobbins" <Roland.Dobbins () netscout com>, "NANOG Operators'
> Group" <nanog () nanog org>
> *Sent: *Monday, January 27, 2020 6:40:25 PM
> *Subject: *Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC
>
> Transit carriers could work the flows backwards.
>
> -Ben Cannon
> CEO 6x7 Networks & 6x7 Telecom, LLC
> ben () 6by7 net
>
>
>
> On Jan 27, 2020, at 4:39 PM, Mike Hammett <nanog () ics-il net> wrote:
>
> If someone is being spoofed, they aren't receiving the spoofed packets.
> How are they supposed to collect anything on the attack?
>
> Offending host pretending to be Octolus -> Sony -> Real Octolus.
>
>
>
>
> -----
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> Midwest-IX
> http://www.midwest-ix.com
>
> ------------------------------
> *From: *"Roland Dobbins" <Roland.Dobbins () netscout com>
> *To: *"Octolus Development" <admin () octolus net>
> *Cc: *"Heather Schiller via NANOG" <nanog () nanog org>
> *Sent: *Monday, January 27, 2020 6:29:16 PM
> *Subject: *Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC
>
>
>
> On Jan 28, 2020, at 04:12, Octolus Development <admin () octolus net> wrote:
>
> It is impossible to find the true origin of where the spoofed attacks are
> coming from.
>
>
> This is demonstrably untrue.
>
> If you provide the requisite information to operators, they can look
> through their flow telemetry collection/analysis systems in order to
> determine whether the spoofed traffic traversed their network; if it did
> so, they will see where it ingressed their network.
>
> With enough participants who have this capability, it's possible to trace
> the spoofed traffic back to its origin network, or at least some network or
> networks topologically proximate to the origin network.
>
> That's what Damian is suggesting.
>
> --------------------------------------------
> Roland Dobbins <roland.dobbins () netscout com>