DDOS solution recommendation
Mark Andrews
marka at isc.org
Mon Jan 12 01:42:00 UTC 2015
In message <54B31BBE.3000502 at tnetconsulting.net>, Grant Taylor writes:
> On 01/11/2015 03:22 PM, Mike Hammett wrote:
> > I know that UDP can be spoofed, but it's not likely that the SSH,
> > mail, etc. login attempts, web page hits, etc. would be spoofed as
> > they'd have to know the response to be of any good.
>
> I encourage you to investigate "Triangular Spamming".
> (http://www.cs.ucr.edu/~zhiyunq/pub/oakland10_triangular_spamming.pdf)
> The "Triangular..." technique does specifically that, allow the attacker
> to "...know the responses...".
>
> In short, the bot receives the reply to the spoofed source IP and
> forwards information on to the attacker so that it can continue the
> conversation. In effect, three parties are having a one way
> conversation in a ring.
Just because you can only identify one of the two remotes doesn't
mean that you can't report the addresses. It is involved in the
communication stream.
> > There's more going on than UDP spoofing\amplification. Frankly the
> > most damaging thing to me has been SMTP hijacking. For you to login
> > to my SMTP server and send e-mail out, there's going to be one hell
> > of a conversation going on.
>
> Yes, there is what appears to you to be be a conversation going on.
> However, the source of what you are hearing is not where you think it's
> from.
Actually it is coming from where you think it is coming from, just not
directly.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the NANOG
mailing list