The victim already posted the signature to this thread: - source IP: 51.81.119.7 - protocol: 6 (tcp) - tcp_flags: 2 (syn)
That alone is sufficient for Level3/CenturyLink/etc to identify the source of this abuse and apply filters, if they choose. For a more detailed explanation of how to trace and filter spoofed attacks, see my talk at NANOG last year: https://pc.nanog.org/static/published/meetings//NANOG76/daily/day_2.html#talk_1976 Damian On Mon, Jan 27, 2020 at 4:57 PM Mike Hammett <[email protected]> wrote: > How would they know what to look for? > > I'm assuming Sony isn't cooperating. > > > > ----- > Mike Hammett > Intelligent Computing Solutions > http://www.ics-il.com > > Midwest-IX > http://www.midwest-ix.com > > ------------------------------ > *From: *"Ben Cannon" <[email protected]> > *To: *"Mike Hammett" <[email protected]> > *Cc: *"Roland Dobbins" <[email protected]>, "NANOG Operators' > Group" <[email protected]> > *Sent: *Monday, January 27, 2020 6:40:25 PM > *Subject: *Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC > > Transit carriers could work the flows backwards. > > -Ben Cannon > CEO 6x7 Networks & 6x7 Telecom, LLC > [email protected] > > > > On Jan 27, 2020, at 4:39 PM, Mike Hammett <[email protected]> wrote: > > If someone is being spoofed, they aren't receiving the spoofed packets. > How are they supposed to collect anything on the attack? > > Offending host pretending to be Octolus -> Sony -> Real Octolus. > > > > > ----- > Mike Hammett > Intelligent Computing Solutions > http://www.ics-il.com > > Midwest-IX > http://www.midwest-ix.com > > ------------------------------ > *From: *"Roland Dobbins" <[email protected]> > *To: *"Octolus Development" <[email protected]> > *Cc: *"Heather Schiller via NANOG" <[email protected]> > *Sent: *Monday, January 27, 2020 6:29:16 PM > *Subject: *Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC > > > > On Jan 28, 2020, at 04:12, Octolus Development <[email protected]> wrote: > > It is impossible to find the true origin of where the spoofed attacks are > coming from. > > > This is demonstrably untrue. > > If you provide the requisite information to operators, they can look > through their flow telemetry collection/analysis systems in order to > determine whether the spoofed traffic traversed their network; if it did > so, they will see where it ingressed their network. > > With enough participants who have this capability, it's possible to trace > the spoofed traffic back to its origin network, or at least some network or > networks topologically proximate to the origin network. > > That's what Damian is suggesting. > > -------------------------------------------- > Roland Dobbins <[email protected]> > > > >
