On 3/17/13, Jon Lewis <jlewis@lewis.org> wrote:
On Sun, 17 Mar 2013, Arturo Servin wrote:
You'd have to get access (cloud VM, dedicated server, etc.) on each network and see if you can successfully get spoofed packets out to another network.
If you have packet data about a sufficient number of different kinds of attacks per source network over a long period of time, at a specific attack/normal traffic sensor; you might be able to infer some information about which networks prevent spoofing, through a difference in the kind of attacks shown to be originating from all the networks. If spoofing is preferred, or used by other nodes involved in a particular attack, the networks that are concentrated sources of non-spoofing attack packets most likely, are places where spoofing prevention could be present -- and have altered attacker behavior. Possibly the presence of spoofed packets may be suggested by a sudden drastic difference in the average TTL versus legitimate traffic for a particular source network for packets with a particular source IP, correlated with the attack VS the remaining packet TTLs normally observed for legitimate traffic from that network. If you have a sufficiently massive number of traffic sensors, and massive data gathering infrastructure, close enough to the attacks, it may be possible to analyze the microsecond-level timing of packets, and the time sequence/order they arrive at various sensors (milliseconds delay/propagation rate of attacker nodes initiating), in order to provide a probability that spoofed packets came from certain networks. Then at that point, you might make some guesses about which networks implement BCP38 -- -JH