[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
automatic rtbh trigger using flow data
On Sun 2018-Sep-02 10:09:32 +0700, Roland Dobbins <rdobbins at arbor.net> wrote:
>
>On 1 Sep 2018, at 1:43, Hugo Slabbert wrote:
>
>>Generally on the TCP side you can try SYN or ACK floods, but you're
>>not going to get an amplified reflection.
>
>Actually, TCP reflection/amplification has been on the increase; the
>attacker is guaranteed at least 4:1 amplification in most
>circumstances, the number of reflectors/amplifiers is for all
>practical purposes infinite, and they're mostly legitimate,
>non-broken services/applications.
Fair. I guess in terms of common reflect/amp vector at $dayjob we just see
UDP-based significantly more frequently on large volumetric attacks given
the amp factor on some vectors is so huge.
Some relevant reading I need to revisit:
https://www.usenix.org/sites/default/files/conference/protected-files/woot14_slides_kuhrer.pdf
https://www.usenix.org/system/files/conference/woot14/woot14-kuhrer.pdf
>And as always, it's important to note that with all
>reflection/amplification attacks, the root of the issue is the lack of
>universal source-address validation (SAV). Without the ability to spoof,
>there would be no reflection/amplification attacks.
ACK, pun intended.
>-----------------------------------
>Roland Dobbins <rdobbins at arbor.net>
--
Hugo Slabbert | email, xmpp/jabber: hugo at slabnet.com
pgp key: B178313E | also on Signal
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20180901/7028b5ee/attachment.sig>