DDOS solution recommendation
Grant Taylor
gtaylor at tnetconsulting.net
Mon Jan 12 04:14:10 UTC 2015
On 01/11/2015 07:42 PM, Mark Andrews wrote:
> Just because you can only identify one of the two remotes doesn't
> mean that you can't report the addresses. It is involved in the
> communication stream.
It is very difficult to make a case that the host with the spoofed IP
address is attacking you when it is not even sending any traffic to you.
The ISP will very likely not see ANY traffic originating from spoofed
IP destined to your server.
So what you do know is effectively useless.
> Actually it is coming from where you think it is coming from, just
> not directly.
No, not quite.
1 - Spammer (A) sends packets to server (B) spoofing the source address
of the relay (C).
(A spoofed as) C -> B
2 - Server (B) replies to relay (C)
B -> C
3 - Relay (C) sends packets to spammer (A).
C -> A
Notice how the relay (C) is never sending packets -to- the server (B).
The traffic is NOT coming from the relay (C).
This is not a case of the spammer (A) sending to the relay (C) that is
then sending the traffic to the server (B).
There is no traffic originating from the relay (C) going to the server
(B). Thus there is nothing to be caught by the relay's ISP ISP filter.
You could even use this technique on ISPs that block outbound traffic
to TCP port 25. (Like many cable / DSL providers.)
Also notice how the server (B) never knows the spammer's (A) real IP.
This is very similar in concept to a Joe Job, but at the TCP layer, not
the SMTP application layer.
----
The point of this is that it is possible, and occurring in the wild, to
spoof TCP source IP addresses. - So, don't blindly trust the source IP
address used for TCP connections. - It is possible (if not practical)
to spoof them and have a successfully transmission.
--
Grant. . . .
unix || die
More information about the NANOG
mailing list