DDOS solution recommendation

Mark Andrews marka at isc.org
Mon Jan 12 07:06:57 UTC 2015


In message <54B34A12.4000704 at tnetconsulting.net>, Grant Taylor writes:
> On 01/11/2015 07:42 PM, Mark Andrews wrote:
> > Just because you can only identify one of the two remotes doesn't
> > mean that you can't report the addresses.  It is involved in the
> > communication stream.
> 
> It is very difficult to make a case that the host with the spoofed IP 
> address is attacking you when it is not even sending any traffic to you. 

It is accepting the reply traffic and forwarding it to the originator.
It is directly involved.

>   The ISP will very likely not see ANY traffic originating from spoofed 
> IP destined to your server.

They will see the reply traffic and will see the acks increasing etc.

> So what you do know is effectively useless.
> 
> > Actually it is coming from where you think it is coming from, just
> > not directly.
> 
> No, not quite.
> 
> 1 - Spammer (A) sends packets to server (B) spoofing the source address 
> of the relay (C).
>       (A spoofed as)  C -> B
> 2 - Server (B) replies to relay (C)
>       B -> C
> 3 - Relay (C) sends packets to spammer (A).
>       C -> A
> 
> Notice how the relay (C) is never sending packets -to- the server (B). 
> The traffic is NOT coming from the relay (C).
> 
> This is not a case of the spammer (A) sending to the relay (C) that is 
> then sending the traffic to the server (B).
> 
> There is no traffic originating from the relay (C) going to the server 
> (B).  Thus there is nothing to be caught by the relay's ISP ISP filter. 
>   You could even use this technique on ISPs that block outbound traffic 
> to TCP port 25.  (Like many cable / DSL providers.)
> 
> Also notice how the server (B) never knows the spammer's (A) real IP.
> 
> This is very similar in concept to a Joe Job, but at the TCP layer, not 
> the SMTP application layer.
> 
> ----
> 
> The point of this is that it is possible, and occurring in the wild, to 
> spoof TCP source IP addresses.  -  So, don't blindly trust the source IP 
> address used for TCP connections.  -  It is possible (if not practical) 
> to spoof them and have a successfully transmission.

There is no difference to this than asymetric routing.  The address you are
presented with is part of the communication path.

> -- 
> Grant. . . .
> unix || die
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the NANOG mailing list