In message <580BF49C.5090209@vaxination.ca>, Jean-Francois Mezei <jfmezei_nanog@vaxination.ca> wrote:
10s of millons of IP addresses. Is it realistic to have 10s of millions of infected devices ? Or is that the dense smoke that points to IP spoofing ?
I haven't read the latest up-to-the-minute reports on this event, but I do suspect that Dyn knows the difference between UDP and TCP, and my understanding is that the latter is a wee bit difficult to spoof these days. Not impossible, perhaps, but quite tedious. I don't think that Dyn would have come out and said "10 million" if it was all easily spoofable UDP that they were getting. In that case, they would either have said "we got a ton of spoofed traffic" or else, if they felt like being publically lampooned, they would have estimated the number of attacking IPs at three billion. So, bottom line, if Dyn said "10 million" I suspect that they intended to imply also "via TCP". Regards, rfg