[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[c-nsp] DNS amplification
- Subject: [c-nsp] DNS amplification
- From: damian at google.com (Damian Menscher)
- Date: Sun, 17 Mar 2013 21:18:47 -0700
- In-reply-to: <CAAAwwbUvSXJ2LOu=qWcXr4btsf-Xymq8Azqf0m8U-nVXUd+3SA@mail.gmail.com>
- References: <CAB_zYdLuMntEdyU=UJgz8saGyA_Cq2-Y-UrM5=XnOPmvJ9=X6w@mail.gmail.com> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <[email protected]> <CAAAwwbUvSXJ2LOu=qWcXr4btsf-Xymq8Azqf0m8U-nVXUd+3SA@mail.gmail.com>
On Sun, Mar 17, 2013 at 7:04 PM, Jimmy Hess <mysidia at gmail.com> wrote:
> If you have a sufficiently massive number of traffic sensors, and
> massive data gathering infrastructure, close enough to the attacks,
> it may be possible to analyze the microsecond-level timing of packets,
> and the time sequence/order they arrive at various sensors
> (milliseconds delay/propagation rate of attacker nodes initiating),
> in order to provide a probability that spoofed packets came from
> certain networks.
>
To get microsecond-level timing, you have to be so close that you're
basically just peering with everyone. And at that point you can just look
to see which fibers carry spoofed packets.
Once you know an ISP hasn't implemented BCP38, what'st the next step?
De-peering just reduces your own visibility into the problem. What if
it's a transit provider, who can be legitimately expected to route for 0/0?
Damian