<div dir="ltr"><div>The victim already posted the signature to this thread:</div><div>  - source IP: 51.81.119.7</div><div>  - protocol: 6 (tcp)</div><div>  - tcp_flags: 2 (syn)<br></div><div><br></div><div>That alone is sufficient for Level3/CenturyLink/etc to identify the source of this abuse and apply filters, if they choose.</div><div><br></div><div>For a more detailed explanation of how to trace and filter spoofed attacks, see my talk at NANOG last year: <a href="https://pc.nanog.org/static/published/meetings//NANOG76/daily/day_2.html#talk_1976">https://pc.nanog.org/static/published/meetings//NANOG76/daily/day_2.html#talk_1976</a></div><div><br></div><div>Damian</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jan 27, 2020 at 4:57 PM Mike Hammett <<a href="mailto:nanog@ics-il.net">nanog@ics-il.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div style="font-family:arial,helvetica,sans-serif;font-size:10pt;color:rgb(0,0,0)">How would they know what to look for?<br><br>I'm assuming Sony isn't cooperating.<br><br><div><span name="x"></span><br><br>-----<br>Mike Hammett<br>Intelligent Computing Solutions<br><a href="http://www.ics-il.com" target="_blank">http://www.ics-il.com</a><br><br>Midwest-IX<br><a href="http://www.midwest-ix.com" target="_blank">http://www.midwest-ix.com</a><span name="x"></span><br></div><br><hr id="gmail-m_2450941115524002373zwchr"><div style="color:rgb(0,0,0);font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt"><b>From: </b>"Ben Cannon" <<a href="mailto:ben@6by7.net" target="_blank">ben@6by7.net</a>><br><b>To: </b>"Mike Hammett" <<a href="mailto:nanog@ics-il.net" target="_blank">nanog@ics-il.net</a>><br><b>Cc: </b>"Roland Dobbins" <<a href="mailto:Roland.Dobbins@netscout.com" target="_blank">Roland.Dobbins@netscout.com</a>>, "NANOG Operators' Group" <<a href="mailto:nanog@nanog.org" target="_blank">nanog@nanog.org</a>><br><b>Sent: </b>Monday, January 27, 2020 6:40:25 PM<br><b>Subject: </b>Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC<br><br>Transit carriers could work the flows backwards.<div><br><div>
<div style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><div style="overflow-wrap: break-word;"><div>-Ben Cannon</div><div>CEO 6x7 Networks & 6x7 Telecom, LLC </div><div><a href="mailto:ben@6by7.net" target="_blank">ben@6by7.net</a></div><div><br></div></div></div><span style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><br><span><img height="269" width="733" id="gmail-m_2450941115524002373655B46DE-379B-4AED-8C4D-E6EFBCBC57AD"></span>
</span></div>
<br><div><blockquote><div>On Jan 27, 2020, at 4:39 PM, Mike Hammett <<a href="mailto:nanog@ics-il.net" target="_blank">nanog@ics-il.net</a>> wrote:</div><br><div><div style="font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;font-family:arial,helvetica,sans-serif;font-size:10pt">If someone is being spoofed, they aren't receiving the spoofed packets. How are they supposed to collect anything on the attack?<br><br>Offending host pretending to be Octolus -> Sony -> Real Octolus.<br><br><br><div><span></span><br><br>-----<br>Mike Hammett<br>Intelligent Computing Solutions<br><a href="http://www.ics-il.com/" target="_blank">http://www.ics-il.com</a><br><br>Midwest-IX<br><a href="http://www.midwest-ix.com/" target="_blank">http://www.midwest-ix.com</a><span></span><br></div><br><hr id="gmail-m_2450941115524002373zwchr"><div style="font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt"><b>From:<span> </span></b>"Roland Dobbins" <<a href="mailto:Roland.Dobbins@netscout.com" target="_blank">Roland.Dobbins@netscout.com</a>><br><b>To:<span> </span></b>"Octolus Development" <<a href="mailto:admin@octolus.net" target="_blank">admin@octolus.net</a>><br><b>Cc:<span> </span></b>"Heather Schiller via NANOG" <<a href="mailto:nanog@nanog.org" target="_blank">nanog@nanog.org</a>><br><b>Sent:<span> </span></b>Monday, January 27, 2020 6:29:16 PM<br><b>Subject:<span> </span></b>Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC<br><br><div dir="ltr"><br></div><div dir="ltr"><br><blockquote>On Jan 28, 2020, at 04:12, Octolus Development <<a href="mailto:admin@octolus.net" target="_blank">admin@octolus.net</a>> wrote:<br><br></blockquote></div><blockquote><div dir="ltr">It is impossible to find the true origin of where the spoofed attacks are coming from.</div></blockquote><br><div>This is demonstrably untrue. </div><div><br></div><div>If you provide the requisite information to operators, they can look through their flow telemetry collection/analysis systems in order to determine whether the spoofed traffic traversed their network; if it did so, they will see where it ingressed their network. </div><div><br></div><div>With enough participants who have this capability, it's possible to trace the spoofed traffic back to its origin network, or at least some network or networks topologically proximate to the origin network. </div><div><br></div><div>That's what Damian is suggesting. </div><div><br></div><div><div style="margin:0px;line-height:normal;color:rgb(69,69,69)"><span style="font-size:17pt">--------------------------------------------</span></div><div style="margin:0px;line-height:normal;color:rgb(69,69,69)"><span style="font-size:17pt">Roland Dobbins <<a href="mailto:roland.dobbins@netscout.com" target="_blank">roland.dobbins@netscout.com</a>></span></div></div></div></div></div></blockquote></div><br></div></div><br></div></div></blockquote></div>