you all do realize you are debating a popular press article who's single 'source' is a loon, right?
On Sat, Dec 12, 2015 at 5:45 PM, Mark Andrews <ma...@isc.org> wrote: > > In message <20151212174220.ga4...@gsp.org>, Rich Kulawiec writes: >> On Sat, Dec 12, 2015 at 09:23:47AM -0800, Jim Shankland wrote: >> > Also, this jumped out at me: >> > >> > "The problem with the recent attack is that the originating IP >> > addresses were evenly distributed within the IPV4 universe," McAfee >> > says. "This is virtually impossible using spoofing." >> > >> > Am I missing something, or is an even distribution of originating IP >> > addresses virtually impossible *without* using spoofing? >> >> I think it's quite doable using botnets. I routinely log attacks/abuse >> that are clearly coordinated, yet originate from very diverse sources. > > "very diverse sources" does not imply "even distribution". If they > are not spoofed addresses you would expect to see hot and cool spots > on a heat map of IPv4 space. > > If they are spoofed addresses and there is a uniform random number > generator used then you would expect to see a uniform heat map. > > Given the way some individual root nodes operate it is blindingly > easy to see spoofed traffic as many of them don't service the entire > Internet normally. Routing delivers traffic from particular subsets > to particular nodes. Each node services a part of the Internet and > only receives taffic from that part. If you see the whole Internet > when you normally only see a subset of the Internet at this node > then the traffic is spoofed. If you see traffic only from the usual > sources at the node then the traffic is not spoofed. > > Now I don't know what was actually seen as the only information > I've seen is what has been publically released. > > Mark > >> ---rsk > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
