John McAfee: Massive DDoS attack on the internet was from smartphone botnet on popular app
Is McAfee just talking to dry his teeth here? This isn't actually practical, is it? Carriers would notice, right? http://www.ibtimes.co.uk/john-mcafee-massive-ddos-attack-internet-was-smartp... -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
saw a lot of bad traffic from china mobile more recently, hard to solve since abuse reports ignored..... colin Sent from my iPhone
On 12 Dec 2015, at 06:18, Jay Ashworth <jra@baylink.com> wrote:
Is McAfee just talking to dry his teeth here? This isn't actually practical, is it? Carriers would notice, right?
http://www.ibtimes.co.uk/john-mcafee-massive-ddos-attack-internet-was-smartp... -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
On Dec 12, 2015, at 1:18 AM, Jay Ashworth <jra@baylink.com> wrote:
Is McAfee just talking to dry his teeth here? This isn't actually practical, is it? Carriers would notice, right?
Whether carriers might notice (or even care, because hey we can bill for data!) is debatable. But...
http://www.ibtimes.co.uk/john-mcafee-massive-ddos-attack-internet-was-smartp...
"and the unsophisticated way the botnet could be implemented through a simple smartphone app, suggests hackers sympathetic to Islamic State (Isis) may be behind it." "The majority of the domain servers are controlled by U.S. interests - three are controlled by the US government. Who has the largest axe to grind? Isis. Who has the most to gain? Isis. Isis certainly has the technical capability to write a popular app.” He certainly is making some wild leaps of logic here. This is the most substantive sentence in the article: "But I have no direct evidence.”
Also, this jumped out at me: "The problem with the recent attack is that the originating IP addresses were evenly distributed within the IPV4 universe," McAfee says. "This is virtually impossible using spoofing." Am I missing something, or is an even distribution of originating IP addresses virtually impossible *without* using spoofing? Jim
On 13 Dec 2015, at 0:23, Jim Shankland wrote:
Am I missing something, or is an even distribution of originating IP addresses virtually impossible *without* using spoofing?
If his remarks were reported correctly, they are incorrect. ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
On Sat, Dec 12, 2015 at 09:23:47AM -0800, Jim Shankland wrote:
Also, this jumped out at me:
"The problem with the recent attack is that the originating IP addresses were evenly distributed within the IPV4 universe," McAfee says. "This is virtually impossible using spoofing."
Am I missing something, or is an even distribution of originating IP addresses virtually impossible *without* using spoofing?
I think it's quite doable using botnets. I routinely log attacks/abuse that are clearly coordinated, yet originate from very diverse sources. ---rsk
In message <20151212174220.GA4941@gsp.org>, Rich Kulawiec writes:
On Sat, Dec 12, 2015 at 09:23:47AM -0800, Jim Shankland wrote:
Also, this jumped out at me:
"The problem with the recent attack is that the originating IP addresses were evenly distributed within the IPV4 universe," McAfee says. "This is virtually impossible using spoofing."
Am I missing something, or is an even distribution of originating IP addresses virtually impossible *without* using spoofing?
I think it's quite doable using botnets. I routinely log attacks/abuse that are clearly coordinated, yet originate from very diverse sources.
"very diverse sources" does not imply "even distribution". If they are not spoofed addresses you would expect to see hot and cool spots on a heat map of IPv4 space. If they are spoofed addresses and there is a uniform random number generator used then you would expect to see a uniform heat map. Given the way some individual root nodes operate it is blindingly easy to see spoofed traffic as many of them don't service the entire Internet normally. Routing delivers traffic from particular subsets to particular nodes. Each node services a part of the Internet and only receives taffic from that part. If you see the whole Internet when you normally only see a subset of the Internet at this node then the traffic is spoofed. If you see traffic only from the usual sources at the node then the traffic is not spoofed. Now I don't know what was actually seen as the only information I've seen is what has been publically released. Mark
---rsk -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
you all do realize you are debating a popular press article who's single 'source' is a loon, right? On Sat, Dec 12, 2015 at 5:45 PM, Mark Andrews <marka@isc.org> wrote:
In message <20151212174220.GA4941@gsp.org>, Rich Kulawiec writes:
On Sat, Dec 12, 2015 at 09:23:47AM -0800, Jim Shankland wrote:
Also, this jumped out at me:
"The problem with the recent attack is that the originating IP addresses were evenly distributed within the IPV4 universe," McAfee says. "This is virtually impossible using spoofing."
Am I missing something, or is an even distribution of originating IP addresses virtually impossible *without* using spoofing?
I think it's quite doable using botnets. I routinely log attacks/abuse that are clearly coordinated, yet originate from very diverse sources.
"very diverse sources" does not imply "even distribution". If they are not spoofed addresses you would expect to see hot and cool spots on a heat map of IPv4 space.
If they are spoofed addresses and there is a uniform random number generator used then you would expect to see a uniform heat map.
Given the way some individual root nodes operate it is blindingly easy to see spoofed traffic as many of them don't service the entire Internet normally. Routing delivers traffic from particular subsets to particular nodes. Each node services a part of the Internet and only receives taffic from that part. If you see the whole Internet when you normally only see a subset of the Internet at this node then the traffic is spoofed. If you see traffic only from the usual sources at the node then the traffic is not spoofed.
Now I don't know what was actually seen as the only information I've seen is what has been publically released.
Mark
---rsk -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
Jim Shankland <nanog@shankland.org> wrote:
Also, this jumped out at me:
"The problem with the recent attack is that the originating IP addresses were evenly distributed within the IPV4 universe," McAfee says. "This is virtually impossible using spoofing."
Am I missing something, or is an even distribution of originating IP addresses virtually impossible *without* using spoofing?
You are correct and McAfee is confused. http://root-servers.org/news/events-of-20151130.txt DNS root name servers that use IP anycast observed this traffic at a significant number of anycast sites. This implies that the botnet was widely distributed. The source addresses of these particular queries appear to be randomized and distributed throughout the IPv4 address space. This says the attackers also used spoofing. Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Rockall, Malin, Hebrides, Bailey: East 5 to 7, occasionally gale 8 in Rockall. Moderate or rough, occasionally very rough in Rockall. Occasional rain. Good, occasionally poor.
Good stuff from Duane here: http://www.circleid.com/posts/20151215_verisign_perspective_on_recent_root_s erver_attacks/ Frank -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Tony Finch Sent: Monday, December 14, 2015 4:27 AM To: Jim Shankland <nanog@shankland.org> Cc: nanog@nanog.org Subject: Re: John McAfee: Massive DDoS attack on the internet was from smartphone botnet on popular app Jim Shankland <nanog@shankland.org> wrote:
Also, this jumped out at me:
"The problem with the recent attack is that the originating IP addresses were evenly distributed within the IPV4 universe," McAfee says. "This is virtually impossible using spoofing."
Am I missing something, or is an even distribution of originating IP addresses virtually impossible *without* using spoofing?
You are correct and McAfee is confused. http://root-servers.org/news/events-of-20151130.txt DNS root name servers that use IP anycast observed this traffic at a significant number of anycast sites. This implies that the botnet was widely distributed. The source addresses of these particular queries appear to be randomized and distributed throughout the IPv4 address space. This says the attackers also used spoofing. Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Rockall, Malin, Hebrides, Bailey: East 5 to 7, occasionally gale 8 in Rockall. Moderate or rough, occasionally very rough in Rockall. Occasional rain. Good, occasionally poor.
If the system of interest consists of a non-trivial number of carrier edge devices, then a non-random distribution of source addresses is certain. (para 1, tech). The armed organization referred to as "Isis" is described[1,2] in some detail, in the first as having sophisticated digital marketing experience and resources, and in the second as having a functional administrative within its internal structures. One, or both, are sufficient to de-corollate that organization and "unsophisticated" means. (para 1, cont.) And as Jim Shankland points out, only spoofing can randomize carrier-originating addresses. Eric [1] http://www.cracked.com/blog/isis-wants-us-to-invade-7-facts-revealed-by-thei... (yes, an odd journal of record, but life is odd, not even) [2] http://www.theguardian.com/world/2015/dec/07/islamic-state-document-masterpl... On 12/11/15 10:18 PM, Jay Ashworth wrote:
Is McAfee just talking to dry his teeth here? This isn't actually practical, is it? Carriers would notice, right?
http://www.ibtimes.co.uk/john-mcafee-massive-ddos-attack-internet-was-smartp...
participants (12)
-
Christopher Morrow
-
Colin Johnston
-
Daniel Corbe
-
Eric Brunner-Williams
-
Frank Bulk
-
Jay Ashworth
-
Jim Shankland
-
Mark Andrews
-
Rich Kulawiec
-
Roland Dobbins
-
Tony Finch
-
Wayne Wenthin