Reaching out to Sony NOC, resolving DDoS Issues - Need POC
Damian Menscher
damian at google.com
Tue Jan 28 01:49:18 UTC 2020
On Mon, Jan 27, 2020 at 5:43 PM Töma Gavrichenkov <ximaera at gmail.com> wrote:
> On Tue, Jan 28, 2020, 4:32 AM Damian Menscher <damian at google.com> wrote:
>
>> On Mon, Jan 27, 2020 at 5:10 PM Töma Gavrichenkov <ximaera at gmail.com>
>> wrote:
>>
>>> If this endpoint doesn't connect to anything outside of their network,
>>> then yes.
>>> If it does though, the design of the filter might become more
>>> complicated.
>>>
>>
>> Not really... just requires sorting by volume. Turns out most legitimate
>> hosts don't send high-volume syn packets. ;)
>>
>
> This is a good *detection* technique, but you cannot filter by volume in
> transit if the set of destinations is large (and random) enough, and you
> don't have a time machine. Not sure if this is the case but might as well
> be.
>
They don't need to filter by destination. Once a problem customer has been
identified, they can apply an ACL restricting them to only originate IPs
they own. This was all covered in my talk at NANOG last year:
https://pc.nanog.org/static/published/meetings//NANOG76/daily/day_2.html#talk_1976
As for the detection of the real source, everything is technically possible
> but you need certain bargaining power which a medium-sized (at best) VPN
> service probably doesn't have.
>
True, but there are ways around that, including public shaming (here), or
involving law enforcement.
Damian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200127/840ed608/attachment.html>
More information about the NANOG
mailing list