|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
X-Original-To: nanog@nanog.org Date: Sun, 11 Jan 2015 15:22:30 -0600 (CST) From: Mike Hammett <nanog@ics-il.net> To: NANOG list <nanog@nanog.org> In-Reply-To: <28333B30-49A1-476D-AABA-8731E2DBCFB0@ianai.net> Errors-To: nanog-bounces@nanog.org I know that UDP can be spoofed, but it's not likely that the SSH, mail, etc= . login attempts, web page hits, etc. would be spoofed as they'd have to kn= ow the response to be of any good.=20 There's more going on than UDP spoofing\amplification. Frankly the most dam= aging thing to me has been SMTP hijacking. For you to login to my SMTP serv= er and send e-mail out, there's going to be one hell of a conversation goin= g on.=20 However, the thought is that if someone's PC is hijacked and trying to logi= n to my SMTP server, it'll be doing something else later (or even concurren= tly). Enough deployment (in addition to BCP 38), and most of the threats ar= e mitigated.=20 -----=20 Mike Hammett=20 Intelligent Computing Solutions=20 http://www.ics-il.com=20 ----- Original Message ----- From: "Patrick W. Gilmore" <patrick@ianai.net>=20 To: "NANOG list" <nanog@nanog.org>=20 Sent: Sunday, January 11, 2015 3:14:27 PM=20 Subject: Re: DDOS solution recommendation=20 You are very confused about how the Internet works.=20 Or did you not understand the words "with source of"?=20 Wait, maybe you have some magic to tell the actual source of a packet than = the 32/128 bits in the "source" field? Because if you do, you stand to make= a few billion dollars, and I'll be one of the first to pay you for it. (I'= m specifically excluding things that give hints like TTL & incoming interfa= ce. To get paid, you need to tell me the ACTUAL source of a spoofed packet.= )=20 While I will admit I do not know which of the above is true, my money is on= #1.=20 --=20 TTFN,=20 patrick=20 > On Jan 11, 2015, at 16:08 , Mike Hammett <nanog@ics-il.net> wrote:=20 >=20 > If that were to happen, it'd be for 30 days and it'd be whatever random r= esidential account or APNIC address that was doing it. Not really a big los= s.=20 >=20 >=20 >=20 >=20 > -----=20 > Mike Hammett=20 > Intelligent Computing Solutions=20 > http://www.ics-il.com=20 >=20 >=20 >=20 > ----- Original Message -----=20 >=20 > From: "Patrick W. Gilmore" <patrick@ianai.net>=20 > To: "NANOG list" <nanog@nanog.org>=20 > Sent: Sunday, January 11, 2015 1:42:13 PM=20 > Subject: Re: DDOS solution recommendation=20 >=20 > I do love solutions which open larger attack surfaces than they are suppo= sed to close. In the US, we call that "a cure worse than the disease".=20 >=20 > Send packet from random bot with source of Google, Comcast, Akamai, etc. = to Mr. Hammett's not-DNS / honeypot / whatever, and watch him close himself= off from the world.=20 >=20 > Voil=C3=A0! Denial of service accomplished without all the hassle of send= ing 100s of Gbps of traffic.=20 >=20 > Best part is he was willing to explain this to 10,000+ of his not-so-clos= est friends, in a search-engine-indexed manner.=20 >=20 > --=20 > TTFN,=20 > patrick=20 >=20 > On Jan 11, 2015, at 14:34 , Phil Bedard <bedard.phil@gmail.com> wrote:=20 >>=20 >> Many attacks can use spoofed source IPs, so who are you really blocking?= =20 >>=20 >> That's why BCP38 as mentioned many times already is a necessary tool in= =20 >> fighting the attacks overall.=20 >>=20 >> Phil=20 >>=20 >>=20 >>=20 >>=20 >> On 1/11/15, 4:33 PM, "Mike Hammett" <nanog@ics-il.net> wrote:=20 >>=20 >>> I didn't necessarily think I was shattering minds with my ideas.=20 >>>=20 >>> I don't have the time to read a dozen presentations.=20 >>>=20 >>> Blackhole them and move on. I don't care whose feelings I hurt. This=20 >>> isn't kindergarten. Maybe "you" should have tried a little harder to no= t=20 >>> get a virus in the first place. Quit clicking on male enhancement ads o= r=20 >>> update your OS occasionally. I'm not going to spend a bunch of time and= =20 >>> money to make sure someone's bubble of bliss doesn't get popped. Swift,= =20 >>> effective, cheap. Besides, you're only cut off for 30 days. If in 30 da= ys=20 >>> you can prove yourself to be responsible, we can try this again. Well,= =20 >>> that or a sufficient support request.=20 >>>=20 >>> Besides, if enough people did hat, the list of blackholes wouldn't be= =20 >>> huge as someone upstream already blocked them.=20 >>>=20 >>>=20 >>>=20 >>>=20 >>> -----=20 >>> Mike Hammett=20 >>> Intelligent Computing Solutions=20 >>> http://www.ics-il.com=20 >>>=20 >>>=20 >>>=20 >>> ----- Original Message -----=20 >>>=20 >>> From: "Roland Dobbins" <rdobbins@arbor.net>=20 >>> To: nanog@nanog.org=20 >>> Sent: Sunday, January 11, 2015 9:29:33 AM=20 >>> Subject: Re: DDOS solution recommendation=20 >>>=20 >>>=20 >>> On 11 Jan 2015, at 22:21, Mike Hammett wrote:=20 >>>=20 >>>> I'm not saying what you're doing is wrong, I'm saying whatever the=20 >>>> industry as a whole is doing obviously isn't working and perhaps a=20 >>>> different approach is required.=20 >>>=20 >>> You haven't recommended anything new, and you really need to do some=20 >>> reading in order to understand why it isn't as simple as you seem to=20 >>> think it is.=20 >>>=20 >>>> Security teams? My network has me, myself and I.=20 >>>=20 >>> And a relatively small network, too.=20 >>>=20 >>>> If for example ChinaNet's abuse department isn't doing anything about= =20 >>>> complains, eventually their whole network gets blocked a /32 at a=20 >>>> time. *shrugs* Their loss.=20 >>>=20 >>> Again, it isn't that simple.=20 >>>=20 >>> -----------------------------------=20 >>> Roland Dobbins <rdobbins@arbor.net>=20 >>>=20 >=20
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |