DDOS solution recommendation
Mark Andrews
marka at isc.org
Mon Jan 12 07:06:57 UTC 2015
In message <54B34A12.4000704 at tnetconsulting.net>, Grant Taylor writes:
> On 01/11/2015 07:42 PM, Mark Andrews wrote:
> > Just because you can only identify one of the two remotes doesn't
> > mean that you can't report the addresses. It is involved in the
> > communication stream.
>
> It is very difficult to make a case that the host with the spoofed IP
> address is attacking you when it is not even sending any traffic to you.
It is accepting the reply traffic and forwarding it to the originator.
It is directly involved.
> The ISP will very likely not see ANY traffic originating from spoofed
> IP destined to your server.
They will see the reply traffic and will see the acks increasing etc.
> So what you do know is effectively useless.
>
> > Actually it is coming from where you think it is coming from, just
> > not directly.
>
> No, not quite.
>
> 1 - Spammer (A) sends packets to server (B) spoofing the source address
> of the relay (C).
> (A spoofed as) C -> B
> 2 - Server (B) replies to relay (C)
> B -> C
> 3 - Relay (C) sends packets to spammer (A).
> C -> A
>
> Notice how the relay (C) is never sending packets -to- the server (B).
> The traffic is NOT coming from the relay (C).
>
> This is not a case of the spammer (A) sending to the relay (C) that is
> then sending the traffic to the server (B).
>
> There is no traffic originating from the relay (C) going to the server
> (B). Thus there is nothing to be caught by the relay's ISP ISP filter.
> You could even use this technique on ISPs that block outbound traffic
> to TCP port 25. (Like many cable / DSL providers.)
>
> Also notice how the server (B) never knows the spammer's (A) real IP.
>
> This is very similar in concept to a Joe Job, but at the TCP layer, not
> the SMTP application layer.
>
> ----
>
> The point of this is that it is possible, and occurring in the wild, to
> spoof TCP source IP addresses. - So, don't blindly trust the source IP
> address used for TCP connections. - It is possible (if not practical)
> to spoof them and have a successfully transmission.
There is no difference to this than asymetric routing. The address you are
presented with is part of the communication path.
> --
> Grant. . . .
> unix || die
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the NANOG
mailing list