|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
From: "Dobbins, Roland" <rdobbins@arbor.net> To: NANOG list <nanog@nanog.org> Date: Fri, 3 Sep 2010 20:11:49 +0000 In-Reply-To: <AANLkTi=Y2g=sw-KhLsHu4p4GP-URQ3aWDzZG2DmjJVWW@mail.gmail.com> Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org On Sep 3, 2010, at 10:23 PM, William Herrin wrote: > Frankly, Zhiyun offers the first truly rational case I've personally seen= for packet filtering based on the TCP source port. While the paper is entertaining and novel, and reflects a lot of creativity= and hard work on the part of the research team, it's doubtful that any ser= ious spammer has ever sent spam this way. I've certainly never run across = it, nor do I know anyone else who has done so. =20 The lack of citations of documented cases in the footnotes, or indeed any p= rojections or discussion of the postulated commonality of this technique te= nds to support the above view, IMHO. Spammers typically do business with botmasters, and those botmasters have t= housands/tens of thousands/hundreds of thousands/millions of bots at their = disposal. The supposed economies of scale achieved by 'triangular spamming= ' (a better name would be something like 'bifurcated false-flag proxying', = as spamming is just a use-case of the more generalized, though esoteric tec= hnique described in the paper) are far outweighed by its operational comple= xity and the sheer volume of botnets available to pump out spam 24/7. =20 The supposed performance benefits described in the paper are likely conside= rably exaggerated, given the RTT and resultant latency of the return traffi= c via the remote proxy half. The sheer economies of scale offered by conve= ntional botnets greatly outweigh the benefits and caveats of the described = technique. The use of routers cracked via credential brute-forcing (no iACLs, no vty A= CLs, no AAA, 'cisco/cisco') and configured with GRE tunnels and NAT, someti= mes in conjunction with prefix-hijacking, is a more commonly-used spamming = technique than that described in the paper. There are a lot of really smart people engaged in all kinds of security-rel= ated research, and it's encouraging to see such talented folks thinking out= side of the box. In future, vetting of postulated scenarios with the opera= tional community prior to embarking upon lengthy, resource-intensive resear= ch projects may be one way to ensure that subsequent efforts are even more = tightly focused on more proximate threats, and can also help reduce the con= tinued citation of canards such as attempts to overload such opaque, arbitr= ary, and unreliable metrics as TTL with more significance than they actuall= y warrant. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Sell your computer and buy a guitar.
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |