Hello,
A while ago, there was an attack on TOR nodes abusing attack detection systems that send out abuse complaints before a TCP handshake has been completed, at which stage the address is still spoofable. See https://blog.torproject.org/defending-tor-mitigating-IP-spoofing/ for more details.
To mitigate future attacks like this, it might be helpful to add an indication of the protocol and connection state to XARF.
In some cases, this information can be derived form "Payload", but that is the kind of processing XARF should make unnecessary.
I propose adding either a field ConnectionState: "syn"/"established" or a field ConnectionEstablished: true/false.
Of course, bad complaint sources might not use this, but a bad source is easier to handle than a bad actor triggering multiple sources.
Hello,
A while ago, there was an attack on TOR nodes abusing attack detection systems that send out abuse complaints before a TCP handshake has been completed, at which stage the address is still spoofable. See https://blog.torproject.org/defending-tor-mitigating-IP-spoofing/ for more details.
To mitigate future attacks like this, it might be helpful to add an indication of the protocol and connection state to XARF.
In some cases, this information can be derived form "Payload", but that is the kind of processing XARF should make unnecessary.
I propose adding either a field ConnectionState: "syn"/"established" or a field ConnectionEstablished: true/false.
Of course, bad complaint sources might not use this, but a bad source is easier to handle than a bad actor triggering multiple sources.