[c-nsp] DNS amplification
Jimmy Hess
mysidia at gmail.com
Mon Mar 18 02:04:26 UTC 2013
On 3/17/13, Jon Lewis <jlewis at lewis.org> wrote:
> On Sun, 17 Mar 2013, Arturo Servin wrote:
> You'd have to get access (cloud VM, dedicated server, etc.) on each
> network and see if you can successfully get spoofed packets out to
> another network.
If you have packet data about a sufficient number of different kinds
of attacks per source network over a long period of time, at a
specific attack/normal traffic sensor; you might be able to infer
some information about which networks prevent spoofing, through a
difference in the kind of attacks shown to be originating from all the
networks.
If spoofing is preferred, or used by other nodes involved in a
particular attack, the networks that are concentrated sources of
non-spoofing attack packets most likely, are places where spoofing
prevention could be present -- and have altered attacker behavior.
Possibly the presence of spoofed packets may be suggested by a sudden
drastic difference in the average TTL versus legitimate traffic for a
particular source network for packets with a particular source IP,
correlated with the attack VS the remaining packet TTLs normally
observed for legitimate traffic from that network.
If you have a sufficiently massive number of traffic sensors, and
massive data gathering infrastructure, close enough to the attacks,
it may be possible to analyze the microsecond-level timing of packets,
and the time sequence/order they arrive at various sensors
(milliseconds delay/propagation rate of attacker nodes initiating),
in order to provide a probability that spoofed packets came from
certain networks.
Then at that point, you might make some guesses about which networks
implement BCP38
--
-JH
More information about the NANOG
mailing list