> On Sep 23, 2016, at 5:39 PM, Hugo Slabbert <h...@slabnet.com> wrote: > > If the attackers were hitting the GRE tunnel destination and spoofing the > tunnel source that would make things harder, but that's starting to get into > rather intimate knowledge of the scrubber's and customer's setup. I could > still probably filter on e.g. TTLs or drop GRE further up to the northern > edge on input rather than output, but agreed that is starting to get > trickier...
My experiences are that under duress most people make poor choices and don’t properly filter these types of traffic. How many times have you turned off a filter to debug something? Making a tunnel work is trickier than it seems and not all devices can terminate them. In Cisco IOS land, you also have to have an Ip address on the tunnel for it to handle IP traffic, even if it’s “ip unnumbered”. My guess is someone terminates on their P2P link to carrier, and that is easy enough to find w/ traceroute/mtr. - Jared
