On 3/17/13, Jon Lewis <jle...@lewis.org> wrote: > On Sun, 17 Mar 2013, Arturo Servin wrote:
> You'd have to get access (cloud VM, dedicated server, etc.) on each > network and see if you can successfully get spoofed packets out to > another network. If you have packet data about a sufficient number of different kinds of attacks per source network over a long period of time, at a specific attack/normal traffic sensor; you might be able to infer some information about which networks prevent spoofing, through a difference in the kind of attacks shown to be originating from all the networks. If spoofing is preferred, or used by other nodes involved in a particular attack, the networks that are concentrated sources of non-spoofing attack packets most likely, are places where spoofing prevention could be present -- and have altered attacker behavior. Possibly the presence of spoofed packets may be suggested by a sudden drastic difference in the average TTL versus legitimate traffic for a particular source network for packets with a particular source IP, correlated with the attack VS the remaining packet TTLs normally observed for legitimate traffic from that network. If you have a sufficiently massive number of traffic sensors, and massive data gathering infrastructure, close enough to the attacks, it may be possible to analyze the microsecond-level timing of packets, and the time sequence/order they arrive at various sensors (milliseconds delay/propagation rate of attacker nodes initiating), in order to provide a probability that spoofed packets came from certain networks. Then at that point, you might make some guesses about which networks implement BCP38 -- -JH
