[c-nsp] DNS amplification

[mysidia at gmail.com (Jimmy Hess)]

On 3/17/13, Jon Lewis <jlewis at lewis.org> wrote:
> On Sun, 17 Mar 2013, Arturo Servin wrote:

> You'd have to get access (cloud VM, dedicated server, etc.) on each
> network and see if you can successfully get spoofed packets out to
> another network.

If you have packet data about a sufficient number of different kinds
of attacks per source network over a long period of time, at a
specific attack/normal traffic sensor;  you might be able to infer
some information about  which networks  prevent spoofing,  through  a
difference in the kind of attacks shown to be originating from all the
networks.

If spoofing is preferred, or used by other nodes involved in a
particular attack,  the networks that are concentrated sources of
non-spoofing attack packets most likely, are places where  spoofing
prevention could be present -- and have altered attacker behavior.


Possibly the presence of spoofed packets may be suggested by a sudden
drastic difference in the average TTL versus legitimate traffic for a
particular source network for packets with a particular source IP,
correlated with the attack  VS the  remaining packet TTLs  normally
observed for legitimate traffic  from that network.

If you have a sufficiently massive number of traffic sensors, and
massive data gathering infrastructure,  close enough to the attacks,
it may be possible to analyze the microsecond-level timing of packets,
and the time sequence/order they arrive at various sensors
(milliseconds delay/propagation rate of attacker nodes initiating),
in order to provide a probability that spoofed packets came from
certain networks.

Then at that point, you might make some  guesses about which networks
implement BCP38

--
-JH