DDOS solution recommendation

Grant Taylor gtaylor at tnetconsulting.net
Mon Jan 12 04:14:10 UTC 2015

On 01/11/2015 07:42 PM, Mark Andrews wrote:
> Just because you can only identify one of the two remotes doesn't
> mean that you can't report the addresses.  It is involved in the
> communication stream.

It is very difficult to make a case that the host with the spoofed IP 
address is attacking you when it is not even sending any traffic to you. 
  The ISP will very likely not see ANY traffic originating from spoofed 
IP destined to your server.

So what you do know is effectively useless.

> Actually it is coming from where you think it is coming from, just
> not directly.

No, not quite.

1 - Spammer (A) sends packets to server (B) spoofing the source address 
of the relay (C).
      (A spoofed as)  C -> B
2 - Server (B) replies to relay (C)
      B -> C
3 - Relay (C) sends packets to spammer (A).
      C -> A

Notice how the relay (C) is never sending packets -to- the server (B). 
The traffic is NOT coming from the relay (C).

This is not a case of the spammer (A) sending to the relay (C) that is 
then sending the traffic to the server (B).

There is no traffic originating from the relay (C) going to the server 
(B).  Thus there is nothing to be caught by the relay's ISP ISP filter. 
  You could even use this technique on ISPs that block outbound traffic 
to TCP port 25.  (Like many cable / DSL providers.)

Also notice how the server (B) never knows the spammer's (A) real IP.

This is very similar in concept to a Joe Job, but at the TCP layer, not 
the SMTP application layer.


The point of this is that it is possible, and occurring in the wild, to 
spoof TCP source IP addresses.  -  So, don't blindly trust the source IP 
address used for TCP connections.  -  It is possible (if not practical) 
to spoof them and have a successfully transmission.

Grant. . . .
unix || die

More information about the NANOG mailing list