On Mon, Jan 27, 2020 at 5:10 PM Töma Gavrichenkov <ximaera@gmail.com> wrote:
On Tue, Jan 28, 2020, 4:02 AM Damian Menscher via NANOG <nanog@nanog.org> wrote:
The victim already posted the signature to this thread:
  - source IP: 51.81.119.7
  - protocol: 6 (tcp)
  - tcp_flags: 2 (syn)

That alone is sufficient for Level3/CenturyLink/etc to identify the source of this abuse and apply filters, if they choose.

If this endpoint doesn't connect to anything outside of their network, then yes.
If it does though, the design of the filter might become more complicated.

Not really... just requires sorting by volume.  Turns out most legitimate hosts don't send high-volume syn packets. ;)  The same could be said of high-volume UDP packets destined to known amplification ports.

If the OP posted their IPv4 addresses and networks to the list, it could've been easier though (however the concerns about the administrative processing procedures outlined before still apply).

The victim info is only really needed if you are focused on a particular case.  A motivated person at a transit provider could likely identify all sources of spoofing (from their customers) with a day's work.  Multiple transit providers would need to work together to address all cases, as the source might be a customer of only one of them.

If anyone at a transit provider wants to attempt this feel free to contact me off-list for tips.

Damian