Reaching out to Sony NOC, resolving DDoS Issues - Need POC
Damian Menscher
damian at google.com
Tue Jan 28 01:00:56 UTC 2020
The victim already posted the signature to this thread:
- source IP: 51.81.119.7
- protocol: 6 (tcp)
- tcp_flags: 2 (syn)
That alone is sufficient for Level3/CenturyLink/etc to identify the source
of this abuse and apply filters, if they choose.
For a more detailed explanation of how to trace and filter spoofed attacks,
see my talk at NANOG last year:
https://pc.nanog.org/static/published/meetings//NANOG76/daily/day_2.html#talk_1976
Damian
On Mon, Jan 27, 2020 at 4:57 PM Mike Hammett <nanog at ics-il.net> wrote:
> How would they know what to look for?
>
> I'm assuming Sony isn't cooperating.
>
>
>
> -----
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> Midwest-IX
> http://www.midwest-ix.com
>
> ------------------------------
> *From: *"Ben Cannon" <ben at 6by7.net>
> *To: *"Mike Hammett" <nanog at ics-il.net>
> *Cc: *"Roland Dobbins" <Roland.Dobbins at netscout.com>, "NANOG Operators'
> Group" <nanog at nanog.org>
> *Sent: *Monday, January 27, 2020 6:40:25 PM
> *Subject: *Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC
>
> Transit carriers could work the flows backwards.
>
> -Ben Cannon
> CEO 6x7 Networks & 6x7 Telecom, LLC
> ben at 6by7.net
>
>
>
> On Jan 27, 2020, at 4:39 PM, Mike Hammett <nanog at ics-il.net> wrote:
>
> If someone is being spoofed, they aren't receiving the spoofed packets.
> How are they supposed to collect anything on the attack?
>
> Offending host pretending to be Octolus -> Sony -> Real Octolus.
>
>
>
>
> -----
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> Midwest-IX
> http://www.midwest-ix.com
>
> ------------------------------
> *From: *"Roland Dobbins" <Roland.Dobbins at netscout.com>
> *To: *"Octolus Development" <admin at octolus.net>
> *Cc: *"Heather Schiller via NANOG" <nanog at nanog.org>
> *Sent: *Monday, January 27, 2020 6:29:16 PM
> *Subject: *Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC
>
>
>
> On Jan 28, 2020, at 04:12, Octolus Development <admin at octolus.net> wrote:
>
> It is impossible to find the true origin of where the spoofed attacks are
> coming from.
>
>
> This is demonstrably untrue.
>
> If you provide the requisite information to operators, they can look
> through their flow telemetry collection/analysis systems in order to
> determine whether the spoofed traffic traversed their network; if it did
> so, they will see where it ingressed their network.
>
> With enough participants who have this capability, it's possible to trace
> the spoofed traffic back to its origin network, or at least some network or
> networks topologically proximate to the origin network.
>
> That's what Damian is suggesting.
>
> --------------------------------------------
> Roland Dobbins <roland.dobbins at netscout.com>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200127/fb1991e3/attachment.html>
More information about the NANOG
mailing list