nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [c-nsp] DNS amplification

From: Damian Menscher <damian () google com>
Date: Sun, 17 Mar 2013 21:18:47 -0700
On Sun, Mar 17, 2013 at 7:04 PM, Jimmy Hess <mysidia () gmail com> wrote:


If you have a sufficiently massive number of traffic sensors, and
massive data gathering infrastructure,  close enough to the attacks,
it may be possible to analyze the microsecond-level timing of packets,
and the time sequence/order they arrive at various sensors
(milliseconds delay/propagation rate of attacker nodes initiating),
in order to provide a probability that spoofed packets came from
certain networks.



To get microsecond-level timing, you have to be so close that you're
basically just peering with everyone.  And at that point you can just look
to see which fibers carry spoofed packets.

Once you know an ISP hasn't implemented BCP38, what'st the next step?
 De-peering just reduces your own visibility into the problem.  What if
it's a transit provider, who can be legitimately expected to route for 0/0?

Damian
Previous By Date Next
Previous By Thread Next

Current thread: