Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[damian at google.com (Damian Menscher)]

On Mon, Jan 27, 2020 at 5:43 PM Töma Gavrichenkov <ximaera at gmail.com> wrote:

> On Tue, Jan 28, 2020, 4:32 AM Damian Menscher <damian at google.com> wrote:
>
>> On Mon, Jan 27, 2020 at 5:10 PM Töma Gavrichenkov <ximaera at gmail.com>
>> wrote:
>>
>>> If this endpoint doesn't connect to anything outside of their network,
>>> then yes.
>>> If it does though, the design of the filter might become more
>>> complicated.
>>>
>>
>> Not really... just requires sorting by volume.  Turns out most legitimate
>> hosts don't send high-volume syn packets. ;)
>>
>
> This is a good *detection* technique, but you cannot filter by volume in
> transit if the set of destinations is large (and random) enough, and you
> don't have a time machine.  Not sure if this is the case but might as well
> be.
>

They don't need to filter by destination.  Once a problem customer has been
identified, they can apply an ACL restricting them to only originate IPs
they own.  This was all covered in my talk at NANOG last year:
https://pc.nanog.org/static/published/meetings//NANOG76/daily/day_2.html#talk_1976

As for the detection of the real source, everything is technically possible
> but you need certain bargaining power which a medium-sized (at best) VPN
> service probably doesn't have.
>

True, but there are ways around that, including public shaming (here), or
involving law enforcement.

Damian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200127/840ed608/attachment.html>