Re: [spoofing-tf] Source Address Validation Architecture (SAVA), BOF proposal @ IETF
To: Pekka Savola pekkas@localhost
From: Rob Beverly rbeverly@localhost
Date: Thu, 14 Sep 2006 11:05:30 -0400
Cc: "Barry Greene (bgreene)" bgreene@localhost, Jaap Akkerhuis jaap@localhost, spoofing-tf@localhost, sava@localhost
On Thu, Sep 14, 2006 at 05:13:37PM +0300, Pekka Savola wrote:
> >Sure, but again, consider the recent DNS amplifier attacks and
> >filter circumvention attacks (using spoofing to send UCE).
> I'd be interested in seeing more references on the SPAM-spoofing. I
> assume you refer to hijacking an address space (possibly a bogon,
> possibly in use), sending spam, and switching the prefix continously.
> This is quite different than 'traditional' spoofing because above also
> requires propagation of false routing information instead of simply
> sending bogus packets.
Actually, I wasn't referring to prefix hijacking. Spammers like
to use botnets. To combat botnets, providers started filtering
outbound port 25 SYN to everywhere but the provider's MTA(s). To
combat these filtered hosts, spammers are now doing the following:
1. find a connection that allows spoofing (e.g. dialup). Assume
a host D is on that dialup and under control of spammer.
2. control a compromised host H on a network that filters outbound tcp 25 SYN
3. Use the dialup host D to send a SYN to a victim MTA with the source
address of H
4. D communicate the initial sequence number to H so that H can
properly ACK the incoming SYN-ACK (and complete the 3-way
There are other variations of such triangular routing (and attacks)
There have been a few conversations on NANOG about this; the first
one I can find readily is: