Unlikely, but possible. Large web hosts end up on the list from time to time, and a lot of innocent sites are blocked in the process. It's an incredibly difficult process to find out what site triggered the initial block and to get your IP's removed from the list.
Yes, they use IP's. They don't do URL-level filtering. They use IP's.
If carriers/ISPs monitored their networks better (or acted on abuse@ emails), their IPs wouldn't wind up on blocklists (either temporarily or permanently).
edit: That isn't to say they should be logging every packet... But if I work for XYZ Hosting Company and spin up a new VM, hand you the IP, and you turn the IP into a mini-shodan scanner... Is the hosting company at least a little responsible for what happens next?
Maybe they could, I don't know, filter out requests from certain malicious MAC addresses? Start dropping packets from the wrong IP address? Surely that would suffice, right?
Most of them do. Which the article fails to mention unfortunately. You not only need the tools, you also need to be in a network that allows you to forge sender IPs.
Filtering those has been advocated for a long time (BCP38), but unfortunately there are still networks that don't do it.
They don’t just block based on IP, they also do deep packet inspection so if you use say, the OpenVPN protocol without changes, it can be blocked even on a private server.
Determine the range of addresses used by the service and then you could use hardware and/or software (iptables, pf, etc.) packet filtering to only allow packets from those hosts.
I want to note that they themselves don't need to be operating those malicious devices; with prevalence of dynamic IPs or NAT with ISPs just being assigned dynamic IP from same block is enough to trigger any filter by IP.
Why don't ISPs block packets with a source IP originating outside their network? It would shut down attacks like this in an instant, and it would save them money on peering costs for floods of junk traffic.
Does it? I don't think you need to correlate packets, you could probably just block small packets that look like they have only part of the hostname. If they wanted to be slightly more selective, they could block small packets that have a partial hostname and have a prefix that is blocked.
In order for traffic to be open for any substantial time, the technique either has to stay hidden/unpopular or the traffic has to be hard to distinguish from normal traffic.
No, the only protection against that is to block all outgoing connections that aren't on a white list. Most servers I have work this way. It's annoying at times but lowers the risk of some shady software/library talking home to ~0%.
Hosts that negligently allow (do not implement technical measures to block) packets to be sent from an IP address not routed to the sender.
Ecatel is the big one here. I don't know what it will take for their upstreams to shut them down, but it needs to happen. Do that and many of these reflected attacks will stop.
Any responsible host filters all outgoing packets to limit them to <only IP addresses we own>.
For example, linode does this afaik.
reply