Krebs on Security booted off Akamai network after DDoS attack proves pricey

Hugo Slabbert hugo at
Fri Sep 23 21:39:54 UTC 2016

On Fri 2016-Sep-23 17:29:59 -0400, Jared Mauch <jared at> wrote:

>> On Sep 23, 2016, at 5:24 PM, Hugo Slabbert <hugo at> wrote:
>> Please tell me why I can't spoof source IPs on a stateless protocol like GRE. If he specifically meant you can't spoof a source, hit a reflector, and gain amplification, sure, but I see zero reason why GRE can't have spoofed source IPs. It bothered me sufficiently that I wrote up some spit-balling ideas about reflecting GRE using double encapsulation[2]. Very rough and untested, but apparently I got a bee in my bonnet...
>my guess is the GRE traffic was harder to filter because many providers use GRE to deliver ‘clean’ traffic back to origin sites.

But those tunnels generally wouldn't terminate on addresses within the 
protected block.  If I'm protecting for you, things would get 
confused if my GRE tunnel dest is somewhere in because I 
would have a route for across the GRE tunnel (either static 
or more conventionally learned via BGP).  I'd bank it on either a provider 
touchdown or another unprotected block, otherwise I'd have a recursive 
routing issue where the tunnel destination would get routed through the GRE 
tunnel.  I've been there with bouncy-bouncy tunnels on service turn-up when 
that was flubbed.

Alternatively, I could pin /32s for the tunnel destinations and still learn 
the shorter protected block, but even so I should then know which source 
(my) and dest (customer's) IPs to exclude explicitly from the GRE 

If the attackers were hitting the GRE tunnel destination and spoofing the 
tunnel source that would make things harder, but that's starting to get 
into rather intimate knowledge of the scrubber's and customer's setup.  I 
could still probably filter on e.g. TTLs or drop GRE further up to the 
northern edge on input rather than output, but agreed that is starting to 
get trickier...

>- Jared

Hugo Slabbert       | email, xmpp/jabber: hugo at
pgp key: B178313E   | also on Signal
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <>

More information about the NANOG mailing list