[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DDOS solution recommendation

Subject: DDOS solution recommendation
From: gtaylor at tnetconsulting.net (Grant Taylor)
Date: Sun, 11 Jan 2015 18:56:30 -0600
In-reply-to: <24459190.3096.1421011316528.JavaMail.mhammett@ThunderFuck>
References: <24459190.3096.1421011316528.JavaMail.mhammett@ThunderFuck>

On 01/11/2015 03:22 PM, Mike Hammett wrote:
> I know that UDP can be spoofed, but it's not likely that the SSH,
> mail, etc. login attempts, web page hits, etc. would be spoofed as
> they'd have to know the response to be of any good.

I encourage you to investigate "Triangular Spamming". 
(http://www.cs.ucr.edu/~zhiyunq/pub/oakland10_triangular_spamming.pdf) 
The "Triangular..." technique does specifically that, allow the attacker 
to "...know the responses...".

In short, the bot receives the reply to the spoofed source IP and 
forwards information on to the attacker so that it can continue the 
conversation.  In effect, three parties are having a one way 
conversation in a ring.

> There's more going on than UDP spoofing\amplification. Frankly the
> most damaging thing to me has been SMTP hijacking. For you to login
> to my SMTP server and send e-mail out, there's going to be one hell
> of a conversation going on.

Yes, there is what appears to you to be be a conversation going on. 
However, the source of what you are hearing is not where you think it's 
from.

-- 
Grant. . . .
unix || die

Follow-Ups:
- DDOS solution recommendation
  - From: marka at isc.org (Mark Andrews)

References:
- DDOS solution recommendation
  - From: nanog at ics-il.net (Mike Hammett)

Prev by Date: DDOS solution recommendation
Next by Date: DDOS solution recommendation
Previous by thread: DDOS solution recommendation
Next by thread: DDOS solution recommendation
Index(es):
- Date
- Thread