Is malicious asymmetrical routing still a thing?
Back in the olden days, a spammer would set up a server with a fast broadband connection and a dialup connection, and send out lots of spam over the broadband connection using the dialup's IP address. Since mail traffic is quite asymmetric, this got them most of the broadband speed, and when the dialup provider cancelled their service, they could just dial into someone else. Or maybe work through that giant pile of AOL CD-ROMs we all had. The broadband provider often wouldn't notice since it wasn't their IP and they didn't get the complaints. Is this still a thing? Broadband providers fixed this by some combination of filtering port 25 traffic both ways, and BCP38 so you can only send packets with your own address. Do providers do both of these? More of one than the other? TIA. R's, John
Sounds like something uRPF would prevent Does anyone do uRPF ? lol Aaron
On Mar 9, 2023, at 2:03 PM, John Levine <johnl@iecc.com> wrote:
Back in the olden days, a spammer would set up a server with a fast broadband connection and a dialup connection, and send out lots of spam over the broadband connection using the dialup's IP address. Since mail traffic is quite asymmetric, this got them most of the broadband speed, and when the dialup provider cancelled their service, they could just dial into someone else. Or maybe work through that giant pile of AOL CD-ROMs we all had. The broadband provider often wouldn't notice since it wasn't their IP and they didn't get the complaints.
Is this still a thing? Broadband providers fixed this by some combination of filtering port 25 traffic both ways, and BCP38 so you can only send packets with your own address. Do providers do both of these? More of one than the other? TIA.
R's, John
On Thu, Mar 9, 2023 at 12:27 PM Aaron1 <aaron1@gvtc.com> wrote:
Sounds like something uRPF would prevent
Does anyone do uRPF ? lol
I would hope folks are implementing uRPF on commodity broadband connections. That's one place it works great. Regards, Bill Herrin -- For hire. https://bill.herrin.us/resume/
On Thu, 9 Mar 2023, William Herrin wrote:
On Thu, Mar 9, 2023 at 12:27 PM Aaron1 <aaron1@gvtc.com> wrote:
Sounds like something uRPF would prevent
Does anyone do uRPF ? lol
I would hope folks are implementing uRPF on commodity broadband connections. That's one place it works great.
My home wifi AP blocked me two different ways, but once I got around that, I was able to determine that Spectrum cable Internet does appear to block spoofed source traffic. :) ---------------------------------------------------------------------- Jon Lewis, MCP :) | I route StackPath, Sr. Neteng | therefore you are _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
On 3/9/23 1:39 PM, William Herrin wrote:
I would hope folks are implementing uRPF on commodity broadband connections. That's one place it works great.
I would hope so too. I also would hope that uRPF was enabled by default on SOHO routers. And yet ... I'm routinely disappointed. CADIA has a Spoofer probe project that tests this very thing. I see periodic announcements to various mailing lists about their monthly results. -- I'll find one if you care to know more. -- Grant. . . . unix || die
Not this exact scenario, but what we see a lot of in my VPS company is people sending spam by using our VPS' source addresses, but routing outbound via some kind of tunnel to a VPN provider or similar in order to bypass our port 25 blocks. We've had to start blocking source port 25 to catch the replies from the recipient mail servers in order to prevent this kind of abuse. Chris On 2023-03-09 12:02, John Levine wrote:
Back in the olden days, a spammer would set up a server with a fast broadband connection and a dialup connection, and send out lots of spam over the broadband connection using the dialup's IP address. Since mail traffic is quite asymmetric, this got them most of the broadband speed, and when the dialup provider cancelled their service, they could just dial into someone else. Or maybe work through that giant pile of AOL CD-ROMs we all had. The broadband provider often wouldn't notice since it wasn't their IP and they didn't get the complaints.
Is this still a thing? Broadband providers fixed this by some combination of filtering port 25 traffic both ways, and BCP38 so you can only send packets with your own address. Do providers do both of these? More of one than the other? TIA.
R's, John
On Thu, Mar 9, 2023 at 4:19 PM Christopher Munz-Michielin <christopher@ve7alb.ca> wrote:
Not this exact scenario, but what we see a lot of in my VPS company is people sending spam by using our VPS' source addresses, but routing outbound via some kind of tunnel to a VPN provider or similar in order to bypass our port 25 blocks.
We've had to start blocking source port 25 to catch the replies from the recipient mail servers in order to prevent this kind of abuse.
commodity 'ip access' really is all the same (dial, dsl, cable, vpc) to folk that do this sort of thing :(
On 3/9/23 2:19 PM, Christopher Munz-Michielin wrote:
Not this exact scenario, but what we see a lot of in my VPS company is people sending spam by using our VPS' source addresses, but routing outbound via some kind of tunnel to a VPN provider or similar in order to bypass our port 25 blocks.
I'd be curious what VPN providers they are using so that I could start blocking them. That seems like another player in the criminal support ecosystem.
We've had to start blocking source port 25 to catch the replies from the recipient mail servers in order to prevent this kind of abuse.
Interesting. -- Grant. . . . unix || die
On Thu, Mar 9, 2023 at 4:05 PM Grant Taylor via NANOG <nanog@nanog.org> wrote:
On 3/9/23 2:19 PM, Christopher Munz-Michielin wrote:
Not this exact scenario, but what we see a lot of in my VPS company is people sending spam by using our VPS' source addresses, but routing outbound via some kind of tunnel to a VPN provider or similar in order to bypass our port 25 blocks.
I'd be curious what VPN providers they are using so that I could start blocking them. That seems like another player in the criminal support ecosystem.
If I had to put money on it, it's not VPN providers but other VPS providers. VPN providers don't have enough business that anyone cares about to avoid getting killed over BCP38 non-compliance. It's trivial to turn a $5 VPS into a disposable VPN head-end that can spray TCP SYN packets at a modest rate, and once the packet is on the backbone somewhere in the world not only can't you do anything about it, it's just on the near side of impossible to figure out where it originally entered. Unless you want to start handing out BGP AS death penalties to entire "tier 1's" who don't instrument their reciprocal peering connections well enough for third parties to trace the source of spoofed packets. Which is 100% of everyone right now. That sort of instrumentation would be darn expensive. Regards, Bill Herrin -- For hire. https://bill.herrin.us/resume/
On Thu, Mar 9, 2023 at 5:12 PM William Herrin <bill@herrin.us> wrote:
It's trivial to turn a $5 VPS into a disposable VPN head-end that can spray TCP SYN packets at a modest rate, and once the packet is on the backbone somewhere in the world not only can't you do anything about it, it's just on the near side of impossible to figure out where it originally entered.
Come to think of it, there are probably botnets for rent where the "owner" has verified non-compliance with BCP38 and will arrange for X number of fresh machines spread across everywhere to VPN into your server and pass packets for you. Why not bring in a little extra cash while waiting for the next DDOS target? Particularly when the packets emitted are unlikely to be traceable to the bot. Regards, Bill Herrin -- For hire. https://bill.herrin.us/resume/
participants (8)
-
Aaron1
-
Christopher Morrow
-
Christopher Munz-Michielin
-
Grant Taylor
-
John Levine
-
Jon Lewis
-
Mark Tinka
-
William Herrin