nanog mailing list archives
Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC
From: Damian Menscher via NANOG <nanog () nanog org>
Date: Mon, 27 Jan 2020 17:32:08 -0800
On Mon, Jan 27, 2020 at 5:10 PM Töma Gavrichenkov <ximaera () gmail com> wrote:
On Tue, Jan 28, 2020, 4:02 AM Damian Menscher via NANOG <nanog () nanog org> wrote:The victim already posted the signature to this thread: - source IP: 51.81.119.7 - protocol: 6 (tcp) - tcp_flags: 2 (syn) That alone is sufficient for Level3/CenturyLink/etc to identify the source of this abuse and apply filters, if they choose.If this endpoint doesn't connect to anything outside of their network, then yes. If it does though, the design of the filter might become more complicated.
Not really... just requires sorting by volume. Turns out most legitimate hosts don't send high-volume syn packets. ;) The same could be said of high-volume UDP packets destined to known amplification ports. If the OP posted their IPv4 addresses and networks to the list, it could've
been easier though (however the concerns about the administrative processing procedures outlined before still apply).
The victim info is only really needed if you are focused on a particular case. A motivated person at a transit provider could likely identify all sources of spoofing (from their customers) with a day's work. Multiple transit providers would need to work together to address all cases, as the source might be a customer of only one of them. If anyone at a transit provider wants to attempt this feel free to contact me off-list for tips. Damian
Current thread:
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC, (continued)
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Octolus Development (Jan 10)
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Octolus Development (Jan 27)
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Damian Menscher via NANOG (Jan 27)
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Octolus Development (Jan 27)
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Dobbins, Roland (Jan 27)
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Mike Hammett (Jan 27)
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Ben Cannon (Jan 27)
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Mike Hammett (Jan 27)
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Damian Menscher via NANOG (Jan 27)
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Töma Gavrichenkov (Jan 27)
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Damian Menscher via NANOG (Jan 27)
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Töma Gavrichenkov (Jan 27)
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Töma Gavrichenkov (Jan 27)
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Damian Menscher via NANOG (Jan 27)
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Töma Gavrichenkov (Jan 27)
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Jean | ddostest.me via NANOG (Jan 28)
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Jared Mauch (Jan 27)
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Töma Gavrichenkov (Jan 27)
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Dobbins, Roland (Jan 27)
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Dobbins, Roland (Jan 27)
- Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC Octolus Development (Jan 28)