DDOS solution recommendation

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Mon Jan 12 16:35:58 UTC 2015


On Mon, 12 Jan 2015 18:06:57 +1100, Mark Andrews said:

> >   The ISP will very likely not see ANY traffic originating from spoofed
> > IP destined to your server.
>
> They will see the reply traffic and will see the acks increasing etc.

Assuming they think to *look* for it.

99.8% of ISPs will get a complaint "Your IP w.x.y.z is sending me spam", drop a
tap on the IP address, see no matching outbound traffic, and hit delete on the
complaint.  They will almost certainly not think to look in something like the
ICMP port unreachable packets the address is sending to some *other* address.
(Remember, the compromised relay machine has to send *very* little info back to
the actual sending box - TCP sequence numbers, maybe windows, and SMTP reply
codes that can be encoded in 1 byte or even less)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 848 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20150112/5a1798bd/attachment.sig>


More information about the NANOG mailing list