Krebs on Security booted off Akamai network after DDoS attack proves pricey
jared at puck.nether.net
Fri Sep 23 22:04:22 UTC 2016
> On Sep 23, 2016, at 5:39 PM, Hugo Slabbert <hugo at slabnet.com> wrote:
> If the attackers were hitting the GRE tunnel destination and spoofing the tunnel source that would make things harder, but that's starting to get into rather intimate knowledge of the scrubber's and customer's setup. I could still probably filter on e.g. TTLs or drop GRE further up to the northern edge on input rather than output, but agreed that is starting to get trickier...
My experiences are that under duress most people make poor choices and don’t properly filter these types of traffic.
How many times have you turned off a filter to debug something? Making a tunnel work is trickier than it seems and not all devices can terminate them.
In Cisco IOS land, you also have to have an Ip address on the tunnel for it to handle IP traffic, even if it’s “ip unnumbered”.
My guess is someone terminates on their P2P link to carrier, and that is easy enough to find w/ traceroute/mtr.
More information about the NANOG