[ahofmann]

How difficult would it be to highjack this attack by sending these packages to everyone, so that providers like hetzner would get swamped with abuse emails? This way the attack would not work anymore. Either the honeypots would stop sending abuse emails, or the providers would filter those out.

[preciousoo]

Or someone would figure out how to find who’s behind the spoofed requests, as those orgs have the resources to do so

[pixl97]

I'm going to guess quite often these spoofed requests are coming from other nations that have little interest in playing nice on the global internet.

[preciousoo]

For sure, but orgs tracking abuse on the net like CF and the like have demonstrated the ability to identify nation state level actors

[Ekaros]

Why not make ISPs responsible for blocking any such traffic. In the end it must originate from someone's network. And really they also should know who their peering partners are and what traffic should be allowed from there.

[remram]

You're describing BCP38, which is discussed in the article.

[salawat]

Which do you prefer?

Internet where you send a packet over the wire and the network takes it and delivers it per RFC. Basically OG Internet. Network of networks of more or less trusted peers.

Or Internet where you need to requisition every connection/circuit be provisined before it is routed, which includes explaining why you need the service, and where any provider in the chain will deny you transit by default? You now must forge an intimate relationship with every middle box between you and the other endpoint. This process must be repeated by everyone on the network. Just operating as a middle box for someone else is now fraught with legal liability; as anything one of your transit's end up doing, you are now considered complicit in.

Both of these architectures of an Internet are equally valid and functional. The society that uses them however is completely different.

I prefer the former, warts and all, and lack of throat to throttle short of the asshat running the software on the other end, over the latter, because with the former at least, we're not creating power nexii to attract asshats to NetOps positions.

With the latter setup, sure, your spam problem has an ostensibly way higher barrier to entry in the form of having to create human trust networks, but the accretion of social power distinctly changes the culture of the net sector, attracting a type of personality that should never, ever be trusted to be given a yay/nay authority over other folks access to a network.

[dataflow]

I don't think I understand your comment.

I don't see why verifying that an IP from your own subnet isn't claiming to be from outside it requires everything in your second paragraph.

[salawat]

> don't see why verifying that an IP from your own subnet isn't claiming to be from outside it requires everything in your second paragraph.

You're looking at this as a collective update of firewall rules, and content to stop there. I'm more concerned about what that gesture turns into once it's significance percolates out to the public at large. Societies rearrange themselves around technical capabilities. Continue reasoning about how that constraint evolves into new obligations and legal precedents on the network operator, and you should eventually arrive at why I'm content to leave that particular bear unpoked.

It never stops at the technical. Ever.

[4star3star]

Good comment. I looked up "nexii" out of curiosity, and it appears that "nexuses" is the appropriate plural, FYI.

[Hikikomori]

What? This already exists and most ISPs already does it, bcp38.

They're only validating that the traffic that they originate use the IP addresses that they manage. So ISP that has an interface with 100.0.0.1/24 make sure that any ingress on that interface has source IP addresses in that range. If everyone does this spoofing becomes impossible and there's no cooperation or whatever you described required.

[dataflow]

Probably easy, as long as you don't mind being on trial for violating something like CFAA.

[fullspectrumdev]

Trivial to accomplish really.

Just acquire a few boxes that don’t block spoofing outbound SYN packets and start spamming random IP’s from random IP’s with SYN packets.

It will generate a shitload of abuse emails and accomplish mostly nothing except fill up disk space with useless emails and such.