On Mon, Jan 27, 2020 at 5:43 PM Töma Gavrichenkov <[email protected]> wrote:
> On Tue, Jan 28, 2020, 4:32 AM Damian Menscher <[email protected]> wrote: > >> On Mon, Jan 27, 2020 at 5:10 PM Töma Gavrichenkov <[email protected]> >> wrote: >> >>> If this endpoint doesn't connect to anything outside of their network, >>> then yes. >>> If it does though, the design of the filter might become more >>> complicated. >>> >> >> Not really... just requires sorting by volume. Turns out most legitimate >> hosts don't send high-volume syn packets. ;) >> > > This is a good *detection* technique, but you cannot filter by volume in > transit if the set of destinations is large (and random) enough, and you > don't have a time machine. Not sure if this is the case but might as well > be. > They don't need to filter by destination. Once a problem customer has been identified, they can apply an ACL restricting them to only originate IPs they own. This was all covered in my talk at NANOG last year: https://pc.nanog.org/static/published/meetings//NANOG76/daily/day_2.html#talk_1976 As for the detection of the real source, everything is technically possible > but you need certain bargaining power which a medium-sized (at best) VPN > service probably doesn't have. > True, but there are ways around that, including public shaming (here), or involving law enforcement. Damian
