[177321] in North American Network Operators' Group
Re: DDOS solution recommendation
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Mon Jan 12 11:38:14 2015
X-Original-To: nanog@nanog.org
To: Mark Andrews <marka@isc.org>
In-Reply-To: Your message of "Mon, 12 Jan 2015 18:06:57 +1100."
<20150112070657.12E41275504F@rock.dv.isc.org>
From: Valdis.Kletnieks@vt.edu
Date: Mon, 12 Jan 2015 11:35:58 -0500
Cc: nanog@nanog.org, Grant Taylor <gtaylor@tnetconsulting.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--==_Exmh_1421080558_3248P
Content-Type: text/plain; charset=us-ascii
On Mon, 12 Jan 2015 18:06:57 +1100, Mark Andrews said:
> > The ISP will very likely not see ANY traffic originating from spoofed
> > IP destined to your server.
>
> They will see the reply traffic and will see the acks increasing etc.
Assuming they think to *look* for it.
99.8% of ISPs will get a complaint "Your IP w.x.y.z is sending me spam", drop a
tap on the IP address, see no matching outbound traffic, and hit delete on the
complaint. They will almost certainly not think to look in something like the
ICMP port unreachable packets the address is sending to some *other* address.
(Remember, the compromised relay machine has to send *very* little info back to
the actual sending box - TCP sequence numbers, maybe windows, and SMTP reply
codes that can be encoded in 1 byte or even less)
--==_Exmh_1421080558_3248P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Exmh version 2.5 07/13/2001
iQIVAwUBVLP37QdmEQWDXROgAQJpjxAAuB9cPJN0Jdd0FlWzevZaK+Z3TzjB0IYu
+tTn8BxE3Ipq6/2YHVCqOP0PufaZSZFHa/68baDdzv0eGitPO4vtP1+Om00InHOz
TGaKyL7IY0Uq/BK0nsvmqkZ6xZRqejnvba7rzyRixfwXGKhU1UyEJYzbuOEKnAha
nfxIBSQ7esASBi+/Htu+86uWlTwS4u6YDkuObpe+Z/WMPMfrTqO3UglsqB7D7zw6
ONO8TSpz1bfiKvweszXcjQuarJCI0p475ohy1OhLu/F62o65GffyduNBFrtJAEiq
7/CIu9hCLC/zPAE0Bp0ljZjwdol8+u4OJGtLpZ5MQywGqLT1ZEhwjeFfEKe0OfM6
Z0OZCOnvVJ9gLH7p7OYrqVL0hmgz981XcaGJbRL0rQEi3Vt4RWk+yAB6ECDK6WOC
VL4rBpuywYb4HxBaxNgh3yZax7TqkkJXBMuatLgU81DMy38JdZQWJagAB5O2LIxC
jMxXqIcP4akXwGqGAxFvgSuBmLyapTbTUGwpm4AaaE+DbhgSD6jSeJHSO07WkZk+
GxBQE4T0SY0dDPbq7jc1S4GurAcdZke6za9bkEMx1V1QlNy6TgRvbZwVoLRxe4uk
HSFJHN/18ihToIbKl8ldPXHnVJXO6hNkROy2MJvhRilnnCawEVPsGdNNL22oPjjO
xXCDXqx//jU=
=a3wg
-----END PGP SIGNATURE-----
--==_Exmh_1421080558_3248P--
