nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

From: Jared Mauch <jared () puck nether net>
Date: Mon, 27 Jan 2020 20:43:47 -0500
You will still see backscatter which will let you know your space is being spoofed as well. 

This will show in your telemetry. 

Sent from my iCar


On Jan 27, 2020, at 7:57 PM, Mike Hammett <nanog () ics-il net> wrote:


How would they know what to look for?

I'm assuming Sony isn't cooperating.



-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com

Midwest-IX
http://www.midwest-ix.com

From: "Ben Cannon" <ben () 6by7 net>
To: "Mike Hammett" <nanog () ics-il net>
Cc: "Roland Dobbins" <Roland.Dobbins () netscout com>, "NANOG Operators' Group" <nanog () nanog org>
Sent: Monday, January 27, 2020 6:40:25 PM
Subject: Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

Transit carriers could work the flows backwards.

-Ben Cannon
CEO 6x7 Networks & 6x7 Telecom, LLC 
ben () 6by7 net




On Jan 27, 2020, at 4:39 PM, Mike Hammett <nanog () ics-il net> wrote:

If someone is being spoofed, they aren't receiving the spoofed packets. How are they supposed to collect anything on 
the attack?

Offending host pretending to be Octolus -> Sony -> Real Octolus.




-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com

Midwest-IX
http://www.midwest-ix.com

From: "Roland Dobbins" <Roland.Dobbins () netscout com>
To: "Octolus Development" <admin () octolus net>
Cc: "Heather Schiller via NANOG" <nanog () nanog org>
Sent: Monday, January 27, 2020 6:29:16 PM
Subject: Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC



On Jan 28, 2020, at 04:12, Octolus Development <admin () octolus net> wrote:

It is impossible to find the true origin of where the spoofed attacks are coming from.

This is demonstrably untrue. 

If you provide the requisite information to operators, they can look through their flow telemetry collection/analysis 
systems in order to determine whether the spoofed traffic traversed their network; if it did so, they will see where 
it ingressed their network. 

With enough participants who have this capability, it's possible to trace the spoofed traffic back to its origin 
network, or at least some network or networks topologically proximate to the origin network. 

That's what Damian is suggesting. 

--------------------------------------------
Roland Dobbins <roland.dobbins () netscout com>
Previous By Date Next
Previous By Thread Next

Current thread: