[191757] in North American Network Operators' Group
Re: Krebs on Security booted off Akamai network after DDoS attack
daemon@ATHENA.MIT.EDU (Mark Andrews)
Mon Sep 26 19:12:05 2016
X-Original-To: nanog@nanog.org
To: "John Levine" <johnl@iecc.com>
From: Mark Andrews <marka@isc.org>
In-reply-to: Your message of "26 Sep 2016 15:56:49 +0000."
<20160926155649.14061.qmail@ary.lan>
Date: Tue, 27 Sep 2016 09:09:46 +1000
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
In message <20160926155649.14061.qmail@ary.lan>, "John Levine" writes:
> >>That paper is about reflection attacks. From what I've read, this was
> >>not a reflection attack. The IoT devices are infected with botware
> >>which sends attack traffic directly. Address spoofing is not particularly
> >>useful for controlling botnets.
> >
> >But that's not only remaining use of source address spoofing in direct
> >attacks, no? Even if reflection and amplification are not used, spoofing
> >can still be used for obfuscation.
>
> I agree that it would be nice if more networks did ingress filtering,
> but if you're expecting a major decrease in evil, you will be
> disappointed.
>
> At this point it's mostly useful for identifying the guilty or
> negligent parties afterwards.
>
> R's,
> John
Actually for ISP's that do it, it can becomes a source of intelligence
on where the compromised / misconfigured machines are. A good ISP
would be informing their customers that they are seeing anomalous
traffic.
With IPv6 there is likely to be more of this traffic visible as
home NATs wont be masking it.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
