nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

From: Damian Menscher via NANOG <nanog () nanog org>
Date: Mon, 27 Jan 2020 17:32:08 -0800
On Mon, Jan 27, 2020 at 5:10 PM Töma Gavrichenkov <ximaera () gmail com> wrote:


On Tue, Jan 28, 2020, 4:02 AM Damian Menscher via NANOG <nanog () nanog org>
wrote:


The victim already posted the signature to this thread:
  - source IP: 51.81.119.7
  - protocol: 6 (tcp)
  - tcp_flags: 2 (syn)

That alone is sufficient for Level3/CenturyLink/etc to identify the
source of this abuse and apply filters, if they choose.



If this endpoint doesn't connect to anything outside of their network,
then yes.
If it does though, the design of the filter might become more complicated.



Not really... just requires sorting by volume.  Turns out most legitimate
hosts don't send high-volume syn packets. ;)  The same could be said of
high-volume UDP packets destined to known amplification ports.

If the OP posted their IPv4 addresses and networks to the list, it could've

been easier though (however the concerns about the administrative
processing procedures outlined before still apply).



The victim info is only really needed if you are focused on a particular
case.  A motivated person at a transit provider could likely identify all
sources of spoofing (from their customers) with a day's work.  Multiple
transit providers would need to work together to address all cases, as the
source might be a customer of only one of them.

If anyone at a transit provider wants to attempt this feel free to contact
me off-list for tips.

Damian
Previous By Date Next
Previous By Thread Next

Current thread: