ISP port blocking practice

Dobbins, Roland rdobbins at
Fri Sep 3 20:11:49 UTC 2010

On Sep 3, 2010, at 10:23 PM, William Herrin wrote:

> Frankly, Zhiyun offers the first truly rational case I've personally seen for packet filtering based on the TCP source port.

While the paper is entertaining and novel, and reflects a lot of creativity and hard work on the part of the research team, it's doubtful that any serious spammer has ever sent spam this way.  I've certainly never run across it, nor do I know anyone else who has done so.  

The lack of citations of documented cases in the footnotes, or indeed any projections or discussion of the postulated commonality of this technique tends to support the above view, IMHO.

Spammers typically do business with botmasters, and those botmasters have thousands/tens of thousands/hundreds of thousands/millions of bots at their disposal.  The supposed economies of scale achieved by 'triangular spamming' (a better name would be something like 'bifurcated false-flag proxying', as spamming is just a use-case of the more generalized, though esoteric technique described in the paper) are far outweighed by its operational complexity and the sheer volume of botnets available to pump out spam 24/7.  

The supposed performance benefits described in the paper are likely considerably exaggerated, given the RTT and resultant latency of the return traffic via the remote proxy half.  The sheer economies of scale offered by conventional botnets greatly outweigh the benefits and caveats of the described technique.

The use of routers cracked via credential brute-forcing (no iACLs, no vty ACLs, no AAA, 'cisco/cisco') and configured with GRE tunnels and NAT, sometimes in conjunction with prefix-hijacking, is a more commonly-used spamming technique than that described in the paper.

There are a lot of really smart people engaged in all kinds of security-related research, and it's encouraging to see such talented folks thinking outside of the box.  In future, vetting of postulated scenarios with the operational community prior to embarking upon lengthy, resource-intensive research projects may be one way to ensure that subsequent efforts are even more tightly focused on more proximate threats, and can also help reduce the continued citation of canards such as attempts to overload such opaque, arbitrary, and unreliable metrics as TTL with more significance than they actually warrant.

Roland Dobbins <rdobbins at> // <>

 	       Sell your computer and buy a guitar.

More information about the NANOG mailing list