On Mon, Jan 27, 2020 at 5:10 PM Töma Gavrichenkov <xima...@gmail.com> wrote:
> On Tue, Jan 28, 2020, 4:02 AM Damian Menscher via NANOG <nanog@nanog.org> > wrote: > >> The victim already posted the signature to this thread: >> - source IP: 51.81.119.7 >> - protocol: 6 (tcp) >> - tcp_flags: 2 (syn) >> >> That alone is sufficient for Level3/CenturyLink/etc to identify the >> source of this abuse and apply filters, if they choose. >> > > If this endpoint doesn't connect to anything outside of their network, > then yes. > If it does though, the design of the filter might become more complicated. > Not really... just requires sorting by volume. Turns out most legitimate hosts don't send high-volume syn packets. ;) The same could be said of high-volume UDP packets destined to known amplification ports. If the OP posted their IPv4 addresses and networks to the list, it could've > been easier though (however the concerns about the administrative > processing procedures outlined before still apply). > The victim info is only really needed if you are focused on a particular case. A motivated person at a transit provider could likely identify all sources of spoofing (from their customers) with a day's work. Multiple transit providers would need to work together to address all cases, as the source might be a customer of only one of them. If anyone at a transit provider wants to attempt this feel free to contact me off-list for tips. Damian
