[186366] in North American Network Operators' Group
Re: John McAfee: Massive DDoS attack on the internet was from
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Sat Dec 12 20:39:01 2015
X-Original-To: nanog@nanog.org
In-Reply-To: <20151212224500.7AFB93F3B851@rock.dv.isc.org>
Date: Sat, 12 Dec 2015 20:38:57 -0500
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Mark Andrews <marka@isc.org>
Cc: nanog list <nanog@nanog.org>, Rich Kulawiec <rsk@gsp.org>
Errors-To: nanog-bounces@nanog.org
you all do realize you are debating a popular press article who's
single 'source' is a loon, right?
On Sat, Dec 12, 2015 at 5:45 PM, Mark Andrews <marka@isc.org> wrote:
>
> In message <20151212174220.GA4941@gsp.org>, Rich Kulawiec writes:
>> On Sat, Dec 12, 2015 at 09:23:47AM -0800, Jim Shankland wrote:
>> > Also, this jumped out at me:
>> >
>> > "The problem with the recent attack is that the originating IP
>> > addresses were evenly distributed within the IPV4 universe," McAfee
>> > says. "This is virtually impossible using spoofing."
>> >
>> > Am I missing something, or is an even distribution of originating IP
>> > addresses virtually impossible *without* using spoofing?
>>
>> I think it's quite doable using botnets. I routinely log attacks/abuse
>> that are clearly coordinated, yet originate from very diverse sources.
>
> "very diverse sources" does not imply "even distribution". If they
> are not spoofed addresses you would expect to see hot and cool spots
> on a heat map of IPv4 space.
>
> If they are spoofed addresses and there is a uniform random number
> generator used then you would expect to see a uniform heat map.
>
> Given the way some individual root nodes operate it is blindingly
> easy to see spoofed traffic as many of them don't service the entire
> Internet normally. Routing delivers traffic from particular subsets
> to particular nodes. Each node services a part of the Internet and
> only receives taffic from that part. If you see the whole Internet
> when you normally only see a subset of the Internet at this node
> then the traffic is spoofed. If you see traffic only from the usual
> sources at the node then the traffic is not spoofed.
>
> Now I don't know what was actually seen as the only information
> I've seen is what has been publically released.
>
> Mark
>
>> ---rsk
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
