[funsec] Re: IP Spoofing [Was many other things]

David Dagon dagon at cc.gatech.edu
Thu Sep 15 21:03:49 CDT 2005 

On Thu, Sep 15, 2005 at 05:58:36PM -0700, Roland Dobbins wrote:
> 
> I'm not a big fan of this - a) doing anything to encourage folks to  
> emit spoofed packets is counterproductive, IMHO, and b) what about  
> the security implications of this client and it's C&C/reporting  
> system? and c) give the methodology, or lack therof, in selecting  
> reporting nodes,

d) have the spoofed payload include a text statement about why
   it was spoofed, who to contact about concerns, etc.

e) have the spoofing client perform any sort of authentication
   or verification to the server.  E.g., a botnet could throw off
   their data, in much the same way that DDoS'ers sometimes forge
   the src IP of CAIDA's telescope, just to mess things up.

> I don't see how this can give any meaningful results  
> for the Internet at large.

Here, I think they can come up with some numbers and a confidence
interval--eventually.

Right now, they report >1% of all domains sampled.  It's dicey whether
their population so far (900 sessions; 712 unique) is representative
of the larger Internet because almost half come from .it and .net
combined.  (There's probably a funny story behind that.)

It's also not clear how complete their study is of the domains they
did manage to sample.  If they test a domain, have they really tested
the full block.  E.g., cc.gatech.edu might implement BCP38/RFC2827,
but those shiftless folks at gatech.edu might not.

One good piece of news:

   failed spoofs: 391
   Blocked because of XPSP2: 235

In some networks, the hosts might do a better job of filtering than
the edges!

Since this is funsec, I'll also note that despite the small data set,
their numbers roughly follow Pareto's 80/20 principle: 20% is
responsible for almost all the trouble on the Internet.

Cheers,

-- 
David Dagon              /"\                          "When cryptography
dagon at cc.gatech.edu      \ /  ASCII RIBBON CAMPAIGN    is outlawed, bayl
Ph.D. Student             X     AGAINST HTML MAIL      bhgynjf jvyy unir
Georgia Inst. of Tech.   / \                           cevinpl."

More information about the funsec mailing list