On Sun, Mar 17, 2013 at 7:04 PM, Jimmy Hess <mysidia@gmail.com> wrote:
If you have a sufficiently massive number of traffic sensors, and massive data gathering infrastructure, close enough to the attacks, it may be possible to analyze the microsecond-level timing of packets, and the time sequence/order they arrive at various sensors (milliseconds delay/propagation rate of attacker nodes initiating), in order to provide a probability that spoofed packets came from certain networks.
To get microsecond-level timing, you have to be so close that you're basically just peering with everyone. And at that point you can just look to see which fibers carry spoofed packets. Once you know an ISP hasn't implemented BCP38, what'st the next step? De-peering just reduces your own visibility into the problem. What if it's a transit provider, who can be legitimately expected to route for 0/0? Damian