In message <54b31bbe.3000...@tnetconsulting.net>, Grant Taylor writes: > On 01/11/2015 03:22 PM, Mike Hammett wrote: > > I know that UDP can be spoofed, but it's not likely that the SSH, > > mail, etc. login attempts, web page hits, etc. would be spoofed as > > they'd have to know the response to be of any good. > > I encourage you to investigate "Triangular Spamming". > (http://www.cs.ucr.edu/~zhiyunq/pub/oakland10_triangular_spamming.pdf) > The "Triangular..." technique does specifically that, allow the attacker > to "...know the responses...". > > In short, the bot receives the reply to the spoofed source IP and > forwards information on to the attacker so that it can continue the > conversation. In effect, three parties are having a one way > conversation in a ring.
Just because you can only identify one of the two remotes doesn't mean that you can't report the addresses. It is involved in the communication stream. > > There's more going on than UDP spoofing\amplification. Frankly the > > most damaging thing to me has been SMTP hijacking. For you to login > > to my SMTP server and send e-mail out, there's going to be one hell > > of a conversation going on. > > Yes, there is what appears to you to be be a conversation going on. > However, the source of what you are hearing is not where you think it's > from. Actually it is coming from where you think it is coming from, just not directly. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
