Re: DDOS solution recommendation

[Mike Hammett <nanog () ics-il net>]

I know that UDP can be spoofed, but it's not likely that the SSH, mail, etc. login attempts, web page hits, etc. would 
be spoofed as they'd have to know the response to be of any good. 

There's more going on than UDP spoofing\amplification. Frankly the most damaging thing to me has been SMTP hijacking. 
For you to login to my SMTP server and send e-mail out, there's going to be one hell of a conversation going on. 

However, the thought is that if someone's PC is hijacked and trying to login to my SMTP server, it'll be doing 
something else later (or even concurrently). Enough deployment (in addition to BCP 38), and most of the threats are 
mitigated. 




----- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 



----- Original Message -----

From: "Patrick W. Gilmore" <patrick () ianai net> 
To: "NANOG list" <nanog () nanog org> 
Sent: Sunday, January 11, 2015 3:14:27 PM 
Subject: Re: DDOS solution recommendation 

You are very confused about how the Internet works. 

Or did you not understand the words "with source of"? 

Wait, maybe you have some magic to tell the actual source of a packet than the 32/128 bits in the "source" field? 
Because if you do, you stand to make a few billion dollars, and I'll be one of the first to pay you for it. (I'm 
specifically excluding things that give hints like TTL & incoming interface. To get paid, you need to tell me the 
ACTUAL source of a spoofed packet.) 

While I will admit I do not know which of the above is true, my money is on #1. 

-- 
TTFN, 
patrick 

> On Jan 11, 2015, at 16:08 , Mike Hammett <nanog () ics-il net> wrote: 
>
> If that were to happen, it'd be for 30 days and it'd be whatever random residential account or APNIC address that was 
> doing it. Not really a big loss. 
>
>
>
>
> ----- 
> Mike Hammett 
> Intelligent Computing Solutions 
> http://www.ics-il.com 
>
>
>
> ----- Original Message ----- 
>
> From: "Patrick W. Gilmore" <patrick () ianai net> 
> To: "NANOG list" <nanog () nanog org> 
> Sent: Sunday, January 11, 2015 1:42:13 PM 
> Subject: Re: DDOS solution recommendation 
>
> I do love solutions which open larger attack surfaces than they are supposed to close. In the US, we call that "a 
> cure worse than the disease". 
>
> Send packet from random bot with source of Google, Comcast, Akamai, etc. to Mr. Hammett's not-DNS / honeypot / 
> whatever, and watch him close himself off from the world. 
>
> Voilà! Denial of service accomplished without all the hassle of sending 100s of Gbps of traffic. 
>
> Best part is he was willing to explain this to 10,000+ of his not-so-closest friends, in a search-engine-indexed 
> manner. 
>
> -- 
> TTFN, 
> patrick 
>
> On Jan 11, 2015, at 14:34 , Phil Bedard <bedard.phil () gmail com> wrote: 
> > Many attacks can use spoofed source IPs, so who are you really blocking? 
> >
> > That's why BCP38 as mentioned many times already is a necessary tool in 
> > fighting the attacks overall. 
> >
> > Phil 
> >
> >
> >
> >
> > On 1/11/15, 4:33 PM, "Mike Hammett" <nanog () ics-il net> wrote: 
> >
> > > I didn't necessarily think I was shattering minds with my ideas. 
> > >
> > > I don't have the time to read a dozen presentations. 
> > >
> > > Blackhole them and move on. I don't care whose feelings I hurt. This 
> > > isn't kindergarten. Maybe "you" should have tried a little harder to not 
> > > get a virus in the first place. Quit clicking on male enhancement ads or 
> > > update your OS occasionally. I'm not going to spend a bunch of time and 
> > > money to make sure someone's bubble of bliss doesn't get popped. Swift, 
> > > effective, cheap. Besides, you're only cut off for 30 days. If in 30 days 
> > > you can prove yourself to be responsible, we can try this again. Well, 
> > > that or a sufficient support request. 
> > >
> > > Besides, if enough people did hat, the list of blackholes wouldn't be 
> > > huge as someone upstream already blocked them. 
> > >
> > >
> > >
> > >
> > > ----- 
> > > Mike Hammett 
> > > Intelligent Computing Solutions 
> > > http://www.ics-il.com 
> > >
> > >
> > >
> > > ----- Original Message ----- 
> > >
> > > From: "Roland Dobbins" <rdobbins () arbor net> 
> > > To: nanog () nanog org 
> > > Sent: Sunday, January 11, 2015 9:29:33 AM 
> > > Subject: Re: DDOS solution recommendation 
> > >
> > >
> > > On 11 Jan 2015, at 22:21, Mike Hammett wrote: 
> > >
> > > > I'm not saying what you're doing is wrong, I'm saying whatever the 
> > > > industry as a whole is doing obviously isn't working and perhaps a 
> > > > different approach is required. 
> > >
> > > You haven't recommended anything new, and you really need to do some 
> > > reading in order to understand why it isn't as simple as you seem to 
> > > think it is. 
> > >
> > > > Security teams? My network has me, myself and I. 
> > >
> > > And a relatively small network, too. 
> > >
> > > > If for example ChinaNet's abuse department isn't doing anything about 
> > > > complains, eventually their whole network gets blocked a /32 at a 
> > > > time. *shrugs* Their loss. 
> > >
> > > Again, it isn't that simple. 
> > >
> > > ----------------------------------- 
> > > Roland Dobbins <rdobbins () arbor net>