[186372] in North American Network Operators' Group
Re: John McAfee: Massive DDoS attack on the internet was from
daemon@ATHENA.MIT.EDU (Tony Finch)
Mon Dec 14 05:26:49 2015
X-Original-To: nanog@nanog.org
Date: Mon, 14 Dec 2015 10:26:43 +0000
From: Tony Finch <dot@dotat.at>
To: Jim Shankland <nanog@shankland.org>
In-Reply-To: <566C5823.8010707@shankland.org>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
Jim Shankland <nanog@shankland.org> wrote:
> Also, this jumped out at me:
>
> "The problem with the recent attack is that the originating IP addresses were
> evenly distributed within the IPV4 universe," McAfee says. "This is virtually
> impossible using spoofing."
>
> Am I missing something, or is an even distribution of originating IP addresses
> virtually impossible *without* using spoofing?
You are correct and McAfee is confused.
http://root-servers.org/news/events-of-20151130.txt
DNS root name servers that use IP anycast observed this
traffic at a significant number of anycast sites.
This implies that the botnet was widely distributed.
The source addresses of these particular queries appear to be
randomized and distributed throughout the IPv4 address space.
This says the attackers also used spoofing.
Tony.
--
f.anthony.n.finch <dot@dotat.at> http://dotat.at/
Rockall, Malin, Hebrides, Bailey: East 5 to 7, occasionally gale 8 in Rockall.
Moderate or rough, occasionally very rough in Rockall. Occasional rain. Good,
occasionally poor.
