John McAfee: Massive DDoS attack on the internet was from smartphone botnet on popular app

Mark Andrews marka at
Sat Dec 12 22:45:00 UTC 2015

In message <20151212174220.GA4941 at>, Rich Kulawiec writes:
> On Sat, Dec 12, 2015 at 09:23:47AM -0800, Jim Shankland wrote:
> > Also, this jumped out at me:
> > 
> > "The problem with the recent attack is that the originating IP
> > addresses were evenly distributed within the IPV4 universe," McAfee
> > says. "This is virtually impossible using spoofing."
> > 
> > Am I missing something, or is an even distribution of originating IP
> > addresses virtually impossible *without* using spoofing?
> I think it's quite doable using botnets.  I routinely log attacks/abuse 
> that are clearly coordinated, yet originate from very diverse sources.

"very diverse sources" does not imply "even distribution".  If they
are not spoofed addresses you would expect to see hot and cool spots
on a heat map of IPv4 space.

If they are spoofed addresses and there is a uniform random number
generator used then you would expect to see a uniform heat map.

Given the way some individual root nodes operate it is blindingly
easy to see spoofed traffic as many of them don't service the entire
Internet normally.  Routing delivers traffic from particular subsets
to particular nodes.  Each node services a part of the Internet and
only receives taffic from that part.  If you see the whole Internet
when you normally only see a subset of the Internet at this node
then the traffic is spoofed.  If you see traffic only from the usual
sources at the node then the traffic is not spoofed.

Now I don't know what was actually seen as the only information
I've seen is what has been publically released.


> ---rsk
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at

More information about the NANOG mailing list