In message <20151212174220.ga4...@gsp.org>, Rich Kulawiec writes: > On Sat, Dec 12, 2015 at 09:23:47AM -0800, Jim Shankland wrote: > > Also, this jumped out at me: > > > > "The problem with the recent attack is that the originating IP > > addresses were evenly distributed within the IPV4 universe," McAfee > > says. "This is virtually impossible using spoofing." > > > > Am I missing something, or is an even distribution of originating IP > > addresses virtually impossible *without* using spoofing? > > I think it's quite doable using botnets. I routinely log attacks/abuse > that are clearly coordinated, yet originate from very diverse sources.
"very diverse sources" does not imply "even distribution". If they are not spoofed addresses you would expect to see hot and cool spots on a heat map of IPv4 space. If they are spoofed addresses and there is a uniform random number generator used then you would expect to see a uniform heat map. Given the way some individual root nodes operate it is blindingly easy to see spoofed traffic as many of them don't service the entire Internet normally. Routing delivers traffic from particular subsets to particular nodes. Each node services a part of the Internet and only receives taffic from that part. If you see the whole Internet when you normally only see a subset of the Internet at this node then the traffic is spoofed. If you see traffic only from the usual sources at the node then the traffic is not spoofed. Now I don't know what was actually seen as the only information I've seen is what has been publically released. Mark > ---rsk -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
