[164927] in North American Network Operators' Group
Re: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not
daemon@ATHENA.MIT.EDU (Jared Mauch)
Sun Aug 11 11:10:49 2013
In-Reply-To: <87pptk5rbp.fsf@mid.deneb.enyo.de>
From: Jared Mauch <jared@puck.nether.net>
Date: Sun, 11 Aug 2013 11:08:46 -0400
To: Florian Weimer <fw@deneb.enyo.de>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
The incidence rate is too high for it to be multihomed hosts.
Let me know if you want to look at the raw data. Very interesting stuff.
Or just look for 8.8.8.8 in the openresolverproject page.
- Jared
On Aug 11, 2013, at 8:45 AM, Florian Weimer <fw@deneb.enyo.de> wrote:
> * Jared Mauch:
>
>> Number of unique IPs that spoofed a packet to me. (eg: I sent a
>> packet to 1.2.3.4 and 5.6.7.8 responded).
>
> That's not necessarily proof of spoofing, isn't it? The system in
> question might legitimately own IP addresses from very different
> networks. If the system is a router and the service you're pinging is
> not correctly implemented and it picks up the IP address of the
> outgoing interface instead of the source address of the request,
> that's totally expected.
>
> I'm not saying that BCP 38 is widely implement (it's not, unless
> operators have configured exceptions for ICMP traffic from private
> address, which I very much doubt). I just think you aren't actually
> measuring spoofing capabilities.
