Reaching out to Sony NOC, resolving DDoS Issues - Need POC
Damian Menscher
damian at google.com
Tue Jan 28 01:32:08 UTC 2020
On Mon, Jan 27, 2020 at 5:10 PM Töma Gavrichenkov <ximaera at gmail.com> wrote:
> On Tue, Jan 28, 2020, 4:02 AM Damian Menscher via NANOG <nanog at nanog.org>
> wrote:
>
>> The victim already posted the signature to this thread:
>> - source IP: 51.81.119.7
>> - protocol: 6 (tcp)
>> - tcp_flags: 2 (syn)
>>
>> That alone is sufficient for Level3/CenturyLink/etc to identify the
>> source of this abuse and apply filters, if they choose.
>>
>
> If this endpoint doesn't connect to anything outside of their network,
> then yes.
> If it does though, the design of the filter might become more complicated.
>
Not really... just requires sorting by volume. Turns out most legitimate
hosts don't send high-volume syn packets. ;) The same could be said of
high-volume UDP packets destined to known amplification ports.
If the OP posted their IPv4 addresses and networks to the list, it could've
> been easier though (however the concerns about the administrative
> processing procedures outlined before still apply).
>
The victim info is only really needed if you are focused on a particular
case. A motivated person at a transit provider could likely identify all
sources of spoofing (from their customers) with a day's work. Multiple
transit providers would need to work together to address all cases, as the
source might be a customer of only one of them.
If anyone at a transit provider wants to attempt this feel free to contact
me off-list for tips.
Damian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200127/b45bbffd/attachment.html>
More information about the NANOG
mailing list