Whoa. Default route loop, thats definitely new ;) Protip: always do prior works research. On Thu, Dec 22, 2016 at 7:56 PM, Tom Beecher <beecher@beecher.cc> wrote:
Jean sent me details. I won't share the link or password to it based on his request, but he hasn't found anything new, and it's not even amplification at all.
What he did was send 1500 byte ICMP packets with a max TTL at an IP address that is not reachable due to a routing loop. No amplification is occurring ; it's just the same packets hanging around longer looking for free food because of the TTL.
I think he _assumed_ amplification was happening because link utilization between his lab routers doing the looping was increasing. Totally expected when you're using --flood and in a lab environment where the TTL entering the loop is still above 250. :)
On Thu, Dec 22, 2016 at 11:48 AM, William Herrin <bill@herrin.us> wrote:
On Thu, Dec 22, 2016 at 11:04 AM, Ken Chase <math@sizone.org> wrote:
Maybe he's found what's already known and posted 2 months ago (and every 2 months?) on nanog, the TCP 98,000x amplifier (which is a little higher than 100x), among dozens of misbehaving devices, all >200x amp.
https://www.usenix.org/system/files/conference/woot14/ woot14-kuhrer.pdf
Hi Ken,
He said, "There is no need for spoofing " so it wouldn't be that one.
Jean,
Respectfully: you're not well known to us as having identified earth shattering vulnerabilities in the past. We hear about utterly unimportant "priority one" events every single day, so without enough information to assess whether you're looking at is something new, important or even possible within our various architectures, few of us will be inclined to take you seriously.
We're all too familiar with the consequence of giving credence to people who say "believe me" instead of offering verifiable fact.
I respect that you're trying to help, but "I have something important to tell you, please contact me off list" is not the way to do that.
And if it turns out we should have listened and kept this secret as long as possible, well, that's on us. ;)
Regards, Bill Herrin
-- William Herrin ................ herrin@dirtside.com bill@herrin.us Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>
-- Alexander Lyamin CEO | Qrator <http://qrator.net/>* Labs* office: 8-800-3333-LAB (522) mob: +7-916-9086122 skype: melanor9 mailto: la@qrator.net