<html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: arial,helvetica,sans-serif; font-size: 10pt; color: #000000'>How would they know what to look for?<br><br>I'm assuming Sony isn't cooperating.<br><br><div><span name="x"></span><br><br>-----<br>Mike Hammett<br>Intelligent Computing Solutions<br>http://www.ics-il.com<br><br>Midwest-IX<br>http://www.midwest-ix.com<span name="x"></span><br></div><br><hr id="zwchr"><div style="color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;"><b>From: </b>"Ben Cannon" <ben@6by7.net><br><b>To: </b>"Mike Hammett" <nanog@ics-il.net><br><b>Cc: </b>"Roland Dobbins" <Roland.Dobbins@netscout.com>, "NANOG Operators' Group" <nanog@nanog.org><br><b>Sent: </b>Monday, January 27, 2020 6:40:25 PM<br><b>Subject: </b>Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC<br><br>Transit carriers could work the flows backwards.<div class=""><br class=""><div class="">
<div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;" class=""><div class="" style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div class="">-Ben Cannon</div><div class="">CEO 6x7 Networks & 6x7 Telecom, LLC </div><div class=""><a href="mailto:ben@6by7.net" class="" target="_blank">ben@6by7.net</a></div><div class=""><br class=""></div></div></div><span style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><br class="Apple-interchange-newline"><span><img height="269" width="733" id="655B46DE-379B-4AED-8C4D-E6EFBCBC57AD" src="cid:245ADEA1-477E-4B5A-989E-9177BDB798AE" class=""></span>
</span></div>
<br class=""><div style=""><blockquote class=""><div class="">On Jan 27, 2020, at 4:39 PM, Mike Hammett <<a href="mailto:nanog@ics-il.net" class="" target="_blank">nanog@ics-il.net</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div style="font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; font-family: arial, helvetica, sans-serif; font-size: 10pt;" class="">If someone is being spoofed, they aren't receiving the spoofed packets. How are they supposed to collect anything on the attack?<br class=""><br class="">Offending host pretending to be Octolus -> Sony -> Real Octolus.<br class=""><br class=""><br class=""><div class=""><span class=""></span><br class=""><br class="">-----<br class="">Mike Hammett<br class="">Intelligent Computing Solutions<br class=""><a href="http://www.ics-il.com/" class="" target="_blank">http://www.ics-il.com</a><br class=""><br class="">Midwest-IX<br class=""><a href="http://www.midwest-ix.com/" class="" target="_blank">http://www.midwest-ix.com</a><span class=""></span><br class=""></div><br class=""><hr id="zwchr" class=""><div style="font-weight: normal; font-style: normal; text-decoration: none; font-family: Helvetica, Arial, sans-serif; font-size: 12pt;" class=""><b class="">From:<span class="Apple-converted-space"> </span></b>"Roland Dobbins" <<a href="mailto:Roland.Dobbins@netscout.com" class="" target="_blank">Roland.Dobbins@netscout.com</a>><br class=""><b class="">To:<span class="Apple-converted-space"> </span></b>"Octolus Development" <<a href="mailto:admin@octolus.net" class="" target="_blank">admin@octolus.net</a>><br class=""><b class="">Cc:<span class="Apple-converted-space"> </span></b>"Heather Schiller via NANOG" <<a href="mailto:nanog@nanog.org" class="" target="_blank">nanog@nanog.org</a>><br class=""><b class="">Sent:<span class="Apple-converted-space"> </span></b>Monday, January 27, 2020 6:29:16 PM<br class=""><b class="">Subject:<span class="Apple-converted-space"> </span></b>Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC<br class=""><br class=""><div dir="ltr" class=""><br class=""></div><div dir="ltr" class=""><br class=""><blockquote class="">On Jan 28, 2020, at 04:12, Octolus Development <<a href="mailto:admin@octolus.net" class="" target="_blank">admin@octolus.net</a>> wrote:<br class=""><br class=""></blockquote></div><blockquote class=""><div dir="ltr" class="">It is impossible to find the true origin of where the spoofed attacks are coming from.</div></blockquote><br class=""><div class="">This is demonstrably untrue. </div><div class=""><br class=""></div><div class="">If you provide the requisite information to operators, they can look through their flow telemetry collection/analysis systems in order to determine whether the spoofed traffic traversed their network; if it did so, they will see where it ingressed their network. </div><div class=""><br class=""></div><div class="">With enough participants who have this capability, it's possible to trace the spoofed traffic back to its origin network, or at least some network or networks topologically proximate to the origin network. </div><div class=""><br class=""></div><div class="">That's what Damian is suggesting. </div><div class=""><br class=""></div><div class=""><div style="margin: 0px; line-height: normal; color: rgb(69, 69, 69);" class=""><span class="s1" style="font-size: 17pt;">--------------------------------------------</span></div><div style="margin: 0px; line-height: normal; color: rgb(69, 69, 69);" class=""><span class="s1" style="font-size: 17pt;">Roland Dobbins <<a href="mailto:roland.dobbins@netscout.com" class="" target="_blank">roland.dobbins@netscout.com</a>></span></div></div></div></div></div></blockquote></div><br class=""></div></div><br></div></body></html>