John McAfee: Massive DDoS attack on the internet was from smartphone botnet on popular app

Christopher Morrow morrowc.lists at
Sun Dec 13 01:38:57 UTC 2015

you all do realize you are debating a popular press article who's
single 'source' is a loon, right?

On Sat, Dec 12, 2015 at 5:45 PM, Mark Andrews <marka at> wrote:
> In message <20151212174220.GA4941 at>, Rich Kulawiec writes:
>> On Sat, Dec 12, 2015 at 09:23:47AM -0800, Jim Shankland wrote:
>> > Also, this jumped out at me:
>> >
>> > "The problem with the recent attack is that the originating IP
>> > addresses were evenly distributed within the IPV4 universe," McAfee
>> > says. "This is virtually impossible using spoofing."
>> >
>> > Am I missing something, or is an even distribution of originating IP
>> > addresses virtually impossible *without* using spoofing?
>> I think it's quite doable using botnets.  I routinely log attacks/abuse
>> that are clearly coordinated, yet originate from very diverse sources.
> "very diverse sources" does not imply "even distribution".  If they
> are not spoofed addresses you would expect to see hot and cool spots
> on a heat map of IPv4 space.
> If they are spoofed addresses and there is a uniform random number
> generator used then you would expect to see a uniform heat map.
> Given the way some individual root nodes operate it is blindingly
> easy to see spoofed traffic as many of them don't service the entire
> Internet normally.  Routing delivers traffic from particular subsets
> to particular nodes.  Each node services a part of the Internet and
> only receives taffic from that part.  If you see the whole Internet
> when you normally only see a subset of the Internet at this node
> then the traffic is spoofed.  If you see traffic only from the usual
> sources at the node then the traffic is not spoofed.
> Now I don't know what was actually seen as the only information
> I've seen is what has been publically released.
> Mark
>> ---rsk
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at

More information about the NANOG mailing list