[177292] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: DDOS solution recommendation

daemon@ATHENA.MIT.EDU (Mark Andrews)
Sun Jan 11 20:42:13 2015

X-Original-To: nanog@nanog.org
To: Grant Taylor <gtaylor@tnetconsulting.net>
From: Mark Andrews <marka@isc.org>
In-reply-to: Your message of "Sun, 11 Jan 2015 18:56:30 -0600."
 <54B31BBE.3000502@tnetconsulting.net>
Date: Mon, 12 Jan 2015 12:42:00 +1100
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org


In message <54B31BBE.3000502@tnetconsulting.net>, Grant Taylor writes:
> On 01/11/2015 03:22 PM, Mike Hammett wrote:
> > I know that UDP can be spoofed, but it's not likely that the SSH,
> > mail, etc. login attempts, web page hits, etc. would be spoofed as
> > they'd have to know the response to be of any good.
> 
> I encourage you to investigate "Triangular Spamming". 
> (http://www.cs.ucr.edu/~zhiyunq/pub/oakland10_triangular_spamming.pdf) 
> The "Triangular..." technique does specifically that, allow the attacker 
> to "...know the responses...".
>
> In short, the bot receives the reply to the spoofed source IP and 
> forwards information on to the attacker so that it can continue the 
> conversation.  In effect, three parties are having a one way 
> conversation in a ring.

Just because you can only identify one of the two remotes doesn't
mean that you can't report the addresses.  It is involved in the
communication stream.

> > There's more going on than UDP spoofing\amplification. Frankly the
> > most damaging thing to me has been SMTP hijacking. For you to login
> > to my SMTP server and send e-mail out, there's going to be one hell
> > of a conversation going on.
> 
> Yes, there is what appears to you to be be a conversation going on. 
> However, the source of what you are hearing is not where you think it's 
> from.

Actually it is coming from where you think it is coming from, just not
directly.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
home help back first fref pref prev next nref lref last post