<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Thu, Sep 8, 2016 at 1:48 AM, Phil Regnauld <span dir="ltr"><<a href="mailto:regnauld@nsrc.org" target="_blank">regnauld@nsrc.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">Paul Vixie (paul) writes:<br>
> Damian Menscher wrote:<br>
> >> ...<br>
> >As I said earlier in this thread, reflection without amplification is<br>
> >nearly indistinguishable from a direct (spoofed) attack. ...<br>
><br>
> and as i, and roland, and others have all said, the distinction is more<br>
> notable in our experience than in your claim.<br>
<br>
</span> Lots more work tracking down the source, especially if the initiator<br>
is using multiple reflectors for diversity. Instead of a single<br>
backtrack, it could be 5-10. Knock down one, 9 to go :(</blockquote><div><br></div><div>Tracing a reflected attack is slightly more difficult than tracing a direct attack, but not for the reasons you claim. It's because you need to convince those operating reflectors to perform that traceback for you, and in general they have no incentive to help.</div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
> when calling NOC's looking for bumps in traffic graphs that might only match<br>
> to one or two sigmas, a reflected attack is in practical terms untraceable.<br>
<br>
</span> It is indeed a pain.</blockquote><div><br></div><div>Tracing spoofed traffic is easy if you use the right tools (netflow) rather than trying to look for bumps in traffic.</div><div><br></div><div>Paul is correct here that many poorly-run networks don't collect or know how to analyze netflow, making their jobs much harder. For those constrained to look for bumps, it's worth noting that it gets easier as you get closer to the source, but even getting near it can be quite challenging. One trick is to simply deploy counters watching for udp/53 traffic (and 123, and 1900, and 19, and ...) -- the top sources should stand out.</div><div><br></div><div>Damian</div></div></div></div>