[191630] in North American Network Operators' Group
Re: Krebs on Security booted off Akamai network after DDoS attack
daemon@ATHENA.MIT.EDU (Jared Mauch)
Fri Sep 23 21:10:30 2016
X-Original-To: nanog@nanog.org
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <20160923213954.GC3770@bamboo.slabnet.com>
Date: Fri, 23 Sep 2016 18:04:22 -0400
To: Hugo Slabbert <hugo@slabnet.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
> On Sep 23, 2016, at 5:39 PM, Hugo Slabbert <hugo@slabnet.com> wrote:
>=20
> If the attackers were hitting the GRE tunnel destination and spoofing =
the tunnel source that would make things harder, but that's starting to =
get into rather intimate knowledge of the scrubber's and customer's =
setup. I could still probably filter on e.g. TTLs or drop GRE further =
up to the northern edge on input rather than output, but agreed that is =
starting to get trickier...
My experiences are that under duress most people make poor choices and =
don=E2=80=99t properly filter these types of traffic. =20
How many times have you turned off a filter to debug something? Making =
a tunnel work is trickier than it seems and not all devices can =
terminate them.
In Cisco IOS land, you also have to have an Ip address on the tunnel for =
it to handle IP traffic, even if it=E2=80=99s =E2=80=9Cip unnumbered=E2=80=
=9D.
My guess is someone terminates on their P2P link to carrier, and that is =
easy enough to find w/ traceroute/mtr.
- Jared=
