[191687] in North American Network Operators' Group
Re: Krebs on Security booted off Akamai network after DDoS attack
daemon@ATHENA.MIT.EDU (John R. Levine)
Sun Sep 25 17:01:58 2016
X-Original-To: nanog@nanog.org
Date: 25 Sep 2016 17:01:55 -0400
From: "John R. Levine" <johnl@iecc.com>
To: "Ca By" <cb.list6@gmail.com>
In-Reply-To: <CAD6AjGSTDgGAe0QeFG+2H_fzpW2Xq9phoBi4T4FeBCZLXsQZnA@mail.gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
> https://www.internetsociety.org/sites/default/files/01_5.pdf
>
> The attack is triggered by a few spoofs somewhere in the world. It is not
> feasible to stop this.
That paper is about reflection attacks. From what I've read, this was not
a reflection attack. The IoT devices are infected with botware which
sends attack traffic directly. Address spoofing is not particularly
useful for controlling botnets. For example, the Conficker botnet
generated pseudo-random domain names where the bots looked for control
traffic.
> Please see https://www.ietf.org/rfc/rfc6561.txt
Uh, yes, we're familiar with that. We even know the people who wrote it.
It could use an update for IoT since I get the impression that in many
cases the only way for a nontechnical user to fix the infection is to
throw the device away.
Regards,
John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly
