John McAfee: Massive DDoS attack on the internet was from smartphone botnet on popular app
morrowc.lists at gmail.com
Sun Dec 13 01:38:57 UTC 2015
you all do realize you are debating a popular press article who's
single 'source' is a loon, right?
On Sat, Dec 12, 2015 at 5:45 PM, Mark Andrews <marka at isc.org> wrote:
> In message <20151212174220.GA4941 at gsp.org>, Rich Kulawiec writes:
>> On Sat, Dec 12, 2015 at 09:23:47AM -0800, Jim Shankland wrote:
>> > Also, this jumped out at me:
>> > "The problem with the recent attack is that the originating IP
>> > addresses were evenly distributed within the IPV4 universe," McAfee
>> > says. "This is virtually impossible using spoofing."
>> > Am I missing something, or is an even distribution of originating IP
>> > addresses virtually impossible *without* using spoofing?
>> I think it's quite doable using botnets. I routinely log attacks/abuse
>> that are clearly coordinated, yet originate from very diverse sources.
> "very diverse sources" does not imply "even distribution". If they
> are not spoofed addresses you would expect to see hot and cool spots
> on a heat map of IPv4 space.
> If they are spoofed addresses and there is a uniform random number
> generator used then you would expect to see a uniform heat map.
> Given the way some individual root nodes operate it is blindingly
> easy to see spoofed traffic as many of them don't service the entire
> Internet normally. Routing delivers traffic from particular subsets
> to particular nodes. Each node services a part of the Internet and
> only receives taffic from that part. If you see the whole Internet
> when you normally only see a subset of the Internet at this node
> then the traffic is spoofed. If you see traffic only from the usual
> sources at the node then the traffic is not spoofed.
> Now I don't know what was actually seen as the only information
> I've seen is what has been publically released.
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the NANOG