[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have)
- Subject: Spoofing ASNs (Re: SNMP DDoS: the vulnerability you might not know you have)
- From: fw at deneb.enyo.de (Florian Weimer)
- Date: Sun, 11 Aug 2013 14:45:30 +0200
- In-reply-to: <[email protected]> (Jared Mauch's message of "Thu, 8 Aug 2013 13:45:03 -0400")
- References: <CAJvB4t=MFhVNpmBwKdMrcc5ZCQkO1LSpNbsqtJu27WjQd=cpJA@mail.gmail.com> <CE1EA166.16075%[email protected]> <CAJvB4tngwy0rMwvnUSMkEYGPevE8wRBxZBGfKF8vjGA1JpEOHA@mail.gmail.com> <CA+2UFhksZz9Kb0LRO29STMzj-KZchD94ZxvqibMW=R8tAV_ufw@mail.gmail.com> <[email protected]> <CAJvB4tk2S=D+z_kn_6_tEpGiB2feYGbXTBhimtgZfZ5ikTB7yg@mail.gmail.com> <CAAAwwbWCSsp1a7U43NLU=fwMeGXrSUGZEm0ZVwSkiaEmRDKgXg@mail.gmail.com> <CA+2UFhntL-iKdGc7Ev9UbPB-y5QkO5eA=nxFfsmNMq50ZUkPqA@mail.gmail.com> <[email protected]> <[email protected]> <CAEmG1=o_E5K3n8MjmovCE7c2GsYELHX1fb_bsgKQZHFYt_E1oQ@mail.gmail.com> <[email protected]>
* Jared Mauch:
> Number of unique IPs that spoofed a packet to me. (eg: I sent a
> packet to 1.2.3.4 and 5.6.7.8 responded).
That's not necessarily proof of spoofing, isn't it? The system in
question might legitimately own IP addresses from very different
networks. If the system is a router and the service you're pinging is
not correctly implemented and it picks up the IP address of the
outgoing interface instead of the source address of the request,
that's totally expected.
I'm not saying that BCP 38 is widely implement (it's not, unless
operators have configured exceptions for ICMP traffic from private
address, which I very much doubt). I just think you aren't actually
measuring spoofing capabilities.