[funsec] Re: IP Spoofing [Was many other things]
dagon at cc.gatech.edu
Thu Sep 15 21:03:49 CDT 2005
On Thu, Sep 15, 2005 at 05:58:36PM -0700, Roland Dobbins wrote:
> I'm not a big fan of this - a) doing anything to encourage folks to
> emit spoofed packets is counterproductive, IMHO, and b) what about
> the security implications of this client and it's C&C/reporting
> system? and c) give the methodology, or lack therof, in selecting
> reporting nodes,
d) have the spoofed payload include a text statement about why
it was spoofed, who to contact about concerns, etc.
e) have the spoofing client perform any sort of authentication
or verification to the server. E.g., a botnet could throw off
their data, in much the same way that DDoS'ers sometimes forge
the src IP of CAIDA's telescope, just to mess things up.
> I don't see how this can give any meaningful results
> for the Internet at large.
Here, I think they can come up with some numbers and a confidence
Right now, they report >1% of all domains sampled. It's dicey whether
their population so far (900 sessions; 712 unique) is representative
of the larger Internet because almost half come from .it and .net
combined. (There's probably a funny story behind that.)
It's also not clear how complete their study is of the domains they
did manage to sample. If they test a domain, have they really tested
the full block. E.g., cc.gatech.edu might implement BCP38/RFC2827,
but those shiftless folks at gatech.edu might not.
One good piece of news:
failed spoofs: 391
Blocked because of XPSP2: 235
In some networks, the hosts might do a better job of filtering than
Since this is funsec, I'll also note that despite the small data set,
their numbers roughly follow Pareto's 80/20 principle: 20% is
responsible for almost all the trouble on the Internet.
David Dagon /"\ "When cryptography
dagon at cc.gatech.edu \ / ASCII RIBBON CAMPAIGN is outlawed, bayl
Ph.D. Student X AGAINST HTML MAIL bhgynjf jvyy unir
Georgia Inst. of Tech. / \ cevinpl."
More information about the funsec