The amplifier would receive a query from a spoofed IP address, and respond using a legit IP address. So the attacker needs to control some computers that can spoof the victim’s IP address, but the actual attack traffic comes from the amplifiers using legit source IPs.
In the case of IoT botnets, I’m not sure any spoofing is required. From: Af [mailto:af-boun...@afmug.com] On Behalf Of Josh Baird Sent: Friday, October 21, 2016 12:21 PM To: af@afmug.com Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick It's a good start. It attempts to prevent spoofed traffic originating from your network to leave your network (or BCP38). On Fri, Oct 21, 2016 at 1:19 PM, Josh Luthman <j...@imaginenetworksllc.com <mailto:j...@imaginenetworksllc.com> > wrote: It can't be that simple...can it? Josh Luthman Office: 937-552-2340 <tel:937-552-2340> Direct: 937-552-2343 <tel:937-552-2343> 1100 Wayne St Suite 1337 Troy, OH 45373 On Fri, Oct 21, 2016 at 1:17 PM, Mike Hammett <af...@ics-il.net <mailto:af...@ics-il.net> > wrote: /ip firewall address-list add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="My IPs" add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="Downstream customer X IPs" /ip firewall filter add action=drop chain=forward comment="Drop spoofed traffic" disabled=no out-interface="To-Upstream" dst-address-list=!"Public-IPs" That was largely composed off of the top of my head and typed on my phone, so it may not be completely accurate. You should also do it on customer-facing ports not allowing anything to come in, but that would be best approached once Mikrotik and the per interface setting for unicast reverse path filtering. You would then said customer facing interfaces to strict and all other interfaces to loose. They accepted the feature request, just haven't implemented it yet. ----- Mike Hammett <http://www.ics-il.com/> Intelligent Computing Solutions <https://www.facebook.com/ICSIL> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> <https://www.linkedin.com/company/intelligent-computing-solutions> <https://twitter.com/ICSIL> <http://www.midwest-ix.com/> Midwest Internet Exchange <https://www.facebook.com/mdwestix> <https://www.linkedin.com/company/midwest-internet-exchange> <https://twitter.com/mdwestix> <http://www.thebrotherswisp.com/> The Brothers WISP <https://www.facebook.com/thebrotherswisp> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> _____ From: "Mike Hammett" <af...@ics-il.net <mailto:af...@ics-il.net> > To: af@afmug.com <mailto:af@afmug.com> Sent: Friday, October 21, 2016 11:21:35 AM Subject: [AFMUG] Another large DDoS, Stop Being a Dick There's another large DDoS going on now. Go to this page to see if you can be used for UDP amplification (or other spoofing) attacks: https://www.caida.org/projects/spoofer/ Go to these pages for more longer term bad behavior monitoring: https://www.shadowserver.org/wiki/ https://radar.qrator.net/ Maybe we need to start a database of ASNs WISPs are using and start naming and shaming them when they have bad actors on their network. This is serious, people. Take it seriously. ----- Mike Hammett <http://www.ics-il.com/> Intelligent Computing Solutions <https://www.facebook.com/ICSIL> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> <https://www.linkedin.com/company/intelligent-computing-solutions> <https://twitter.com/ICSIL> <http://www.midwest-ix.com/> Midwest Internet Exchange <https://www.facebook.com/mdwestix> <https://www.linkedin.com/company/midwest-internet-exchange> <https://twitter.com/mdwestix> <http://www.thebrotherswisp.com/> The Brothers WISP <https://www.facebook.com/thebrotherswisp> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>