<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Maybe we're looking at the wrong place when dealing with TCP amp.
I believe there is a much easier way to solve this.</p>
<p>@OP: can you post the tcp flags of the SYN/CK you are receiving
from Sony?</p>
<p>Thanks</p>
<p>Jean<br>
</p>
<div class="moz-cite-prefix">On 2020-01-27 20:49, Damian Menscher
via NANOG wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CABSP1OcrbzmsrKgDqUWLFKaqoxXWcjex59bdyfbR=8br9PSyow@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div dir="ltr">On Mon, Jan 27, 2020 at 5:43 PM Töma Gavrichenkov
<<a href="mailto:ximaera@gmail.com" moz-do-not-send="true">ximaera@gmail.com</a>>
wrote:<br>
</div>
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div dir="auto">
<div>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Tue, Jan 28,
2020, 4:32 AM Damian Menscher <<a
href="mailto:damian@google.com" target="_blank"
moz-do-not-send="true">damian@google.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div dir="ltr">On Mon, Jan 27, 2020 at 5:10 PM
Töma Gavrichenkov <<a
href="mailto:ximaera@gmail.com"
rel="noreferrer" target="_blank"
moz-do-not-send="true">ximaera@gmail.com</a>>
wrote:</div>
<div class="gmail_quote">
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div dir="auto">
<div dir="auto">If this endpoint doesn't
connect to anything outside of their
network, then yes.</div>
<div dir="auto">If it does though, the
design of the filter might become more
complicated.</div>
</div>
</blockquote>
<div><br>
</div>
<div>Not really... just requires sorting by
volume. Turns out most legitimate hosts don't
send high-volume syn packets. ;)</div>
</div>
</div>
</blockquote>
</div>
</div>
<div dir="auto"><br>
</div>
<div dir="auto">This is a good *detection* technique, but
you cannot filter by volume in transit if the set of
destinations is large (and random) enough, and you don't
have a time machine. Not sure if this is the case but
might as well be.</div>
</div>
</blockquote>
<div><br>
</div>
<div>They don't need to filter by destination. Once a problem
customer has been identified, they can apply an ACL
restricting them to only originate IPs they own. This was
all covered in my talk at NANOG last year: <a
href="https://pc.nanog.org/static/published/meetings//NANOG76/daily/day_2.html#talk_1976"
moz-do-not-send="true">https://pc.nanog.org/static/published/meetings//NANOG76/daily/day_2.html#talk_1976</a></div>
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div dir="auto">
<div dir="auto">As for the detection of the real source,
everything is technically possible but you need certain
bargaining power which a medium-sized (at best) VPN
service probably doesn't have.</div>
</div>
</blockquote>
<div><br>
</div>
<div>True, but there are ways around that, including public
shaming (here), or involving law enforcement.</div>
<div><br>
</div>
<div>Damian</div>
</div>
</div>
</blockquote>
</body>
</html>