nanog mailing list archives
Re: John McAfee: Massive DDoS attack on the internet was from smartphone botnet on popular app
From: Christopher Morrow <morrowc.lists () gmail com>
Date: Sat, 12 Dec 2015 20:38:57 -0500
you all do realize you are debating a popular press article who's single 'source' is a loon, right? On Sat, Dec 12, 2015 at 5:45 PM, Mark Andrews <marka () isc org> wrote:
In message <20151212174220.GA4941 () gsp org>, Rich Kulawiec writes:On Sat, Dec 12, 2015 at 09:23:47AM -0800, Jim Shankland wrote:Also, this jumped out at me: "The problem with the recent attack is that the originating IP addresses were evenly distributed within the IPV4 universe," McAfee says. "This is virtually impossible using spoofing." Am I missing something, or is an even distribution of originating IP addresses virtually impossible *without* using spoofing?I think it's quite doable using botnets. I routinely log attacks/abuse that are clearly coordinated, yet originate from very diverse sources."very diverse sources" does not imply "even distribution". If they are not spoofed addresses you would expect to see hot and cool spots on a heat map of IPv4 space. If they are spoofed addresses and there is a uniform random number generator used then you would expect to see a uniform heat map. Given the way some individual root nodes operate it is blindingly easy to see spoofed traffic as many of them don't service the entire Internet normally. Routing delivers traffic from particular subsets to particular nodes. Each node services a part of the Internet and only receives taffic from that part. If you see the whole Internet when you normally only see a subset of the Internet at this node then the traffic is spoofed. If you see traffic only from the usual sources at the node then the traffic is not spoofed. Now I don't know what was actually seen as the only information I've seen is what has been publically released. Mark---rsk-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka () isc org
Current thread:
- John McAfee: Massive DDoS attack on the internet was from smartphone botnet on popular app Jay Ashworth (Dec 11)
- Re: John McAfee: Massive DDoS attack on the internet was from smartphone botnet on popular app Colin Johnston (Dec 11)
- Re: John McAfee: Massive DDoS attack on the internet was from smartphone botnet on popular app Daniel Corbe (Dec 12)
- Re: John McAfee: Massive DDoS attack on the internet was from smartphone botnet on popular app Jim Shankland (Dec 12)
- Re: John McAfee: Massive DDoS attack on the internet was from smartphone botnet on popular app Roland Dobbins (Dec 12)
- Re: John McAfee: Massive DDoS attack on the internet was from smartphone botnet on popular app Rich Kulawiec (Dec 12)
- Re: John McAfee: Massive DDoS attack on the internet was from smartphone botnet on popular app Mark Andrews (Dec 12)
- Re: John McAfee: Massive DDoS attack on the internet was from smartphone botnet on popular app Christopher Morrow (Dec 12)
- Re: John McAfee: Massive DDoS attack on the internet was from smartphone botnet on popular app Jim Shankland (Dec 12)
- Re: John McAfee: Massive DDoS attack on the internet was from smartphone botnet on popular app Tony Finch (Dec 14)
- Re: John McAfee: Massive DDoS attack on the internet was from smartphone botnet on popular app Wayne Wenthin (Dec 14)
- RE: John McAfee: Massive DDoS attack on the internet was from smartphone botnet on popular app Frank Bulk (Dec 15)
- <Possible follow-ups>
- Fwd: John McAfee: Massive DDoS attack on the internet was from smartphone botnet on popular app Jonathan Hall (Dec 13)