Jim Shankland <nanog@shankland.org> wrote:
Also, this jumped out at me:
"The problem with the recent attack is that the originating IP addresses were evenly distributed within the IPV4 universe," McAfee says. "This is virtually impossible using spoofing."
Am I missing something, or is an even distribution of originating IP addresses virtually impossible *without* using spoofing?
You are correct and McAfee is confused. http://root-servers.org/news/events-of-20151130.txt DNS root name servers that use IP anycast observed this traffic at a significant number of anycast sites. This implies that the botnet was widely distributed. The source addresses of these particular queries appear to be randomized and distributed throughout the IPv4 address space. This says the attackers also used spoofing. Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Rockall, Malin, Hebrides, Bailey: East 5 to 7, occasionally gale 8 in Rockall. Moderate or rough, occasionally very rough in Rockall. Occasional rain. Good, occasionally poor.