Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[damian at google.com (Damian Menscher)]

On Mon, Jan 27, 2020 at 5:10 PM Töma Gavrichenkov <ximaera at gmail.com> wrote:

> On Tue, Jan 28, 2020, 4:02 AM Damian Menscher via NANOG <nanog at nanog.org>
> wrote:
>
>> The victim already posted the signature to this thread:
>>   - source IP: 51.81.119.7
>>   - protocol: 6 (tcp)
>>   - tcp_flags: 2 (syn)
>>
>> That alone is sufficient for Level3/CenturyLink/etc to identify the
>> source of this abuse and apply filters, if they choose.
>>
>
> If this endpoint doesn't connect to anything outside of their network,
> then yes.
> If it does though, the design of the filter might become more complicated.
>

Not really... just requires sorting by volume.  Turns out most legitimate
hosts don't send high-volume syn packets. ;)  The same could be said of
high-volume UDP packets destined to known amplification ports.

If the OP posted their IPv4 addresses and networks to the list, it could've
> been easier though (however the concerns about the administrative
> processing procedures outlined before still apply).
>

The victim info is only really needed if you are focused on a particular
case.  A motivated person at a transit provider could likely identify all
sources of spoofing (from their customers) with a day's work.  Multiple
transit providers would need to work together to address all cases, as the
source might be a customer of only one of them.

If anyone at a transit provider wants to attempt this feel free to contact
me off-list for tips.

Damian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200127/b45bbffd/attachment.html>