On Thu, Nov 07, 2024 at 03:49:37PM -0300, gus wrote:
I'm writing to share that the origin of the spoofed packets has been identified and successfully shut down today, thanks to the assistance from Andrew Morris at GreyNoise and anonymous contributors.
Yay. Thanks Gus, and especially thanks Andrew.
We should expect some more days of fallout, while mistaken abuse complaints are still being processed by various hosters. That is, if you get a complaint from your hoster tomorrow, be sure to check the timestamp before worrying that there is some new variant of the attack.
That said, everybody please do keep watch for some future variation of this attack. All the attack needs is a hosting provider that doesn't do egress filtering, i.e. that lets its users pretend to be anybody anywhere on the internet. Those hosting providers are supposed to be gone from the world decages ago, but well, the world is flawed in many ways and this isn't the worst of them. :) At least if it happens again soon, many people understand the attack now and they will be ready to track it down quickly again.
--Roger