1) There is no evidence that the recent giant DDOS attacks on Brian Krebs used IP Spoofing. In fact, there is every reason to believe that they did not since the generators of the packets were low powered IoT devices. There is increasingly little reason for attackers to even bother with IP spoofing given how easy it is becoming to capture giant herds of low power IoT devices. The attackers don't care if some of their herd gets taken offline due to effective attribution.
Amplification/reflection attacks which will still require IP spoofing. What I'm curious about, and only time will tell, is how much IP spoofing will continue to play a part in lsrge DDOS attacks? Why bother spoofing IPs if your botnet herd is already large enough to bring someone offline?
You answered your question there. Without spoofing, only the largest botnets can launch a successful DDoS attack. That's a big barrier to entry, and if the police were effective on this area, would be a huge boom to fighting those attacks.
> Without spoofing, only the largest botnets can launch a successful DDoS attack. That's a big barrier to entry
In the days of Shodan, NO. Absolute no. 100/10 or 50/5 MBit/s household networking is becoming the norm in Germany, and other countries are way ahead of us Germans. Add in the fact that people with lots of (crappy) IoT devices are people who also have the money for high-speed internet connection...
Then throw in a couple of stro's at DCs with good interconnections, and you got yourself a niiiiiiiice huge botnet. You can do LOTS of damage if you get maybe ten or twenty servers with 10 GBit/s links under your control! (10 servers = 100 GBit/s, 10% of the Krebs attack IIRC)
I dunno. Spoofing for reflection/amplification is only going to work for certain services(e.g., DNS, NTPD). So perhaps if you don't spoof, but instead capture a large enough IoT botnet, you might be able to generate traffic that's harder to spot and segregate. I think we need to watch this space and see how things develop.
If every upstream providers will have the netflow protocol in that case they can just drop bad traffic on the specific interface and they also can trace a source of bad traffic and drop it as early as possible.
1) There is no evidence that the recent giant DDOS attacks on Brian Krebs used IP Spoofing. In fact, there is every reason to believe that they did not since the generators of the packets were low powered IoT devices. There is increasingly little reason for attackers to even bother with IP spoofing given how easy it is becoming to capture giant herds of low power IoT devices. The attackers don't care if some of their herd gets taken offline due to effective attribution.
Amplification/reflection attacks which will still require IP spoofing. What I'm curious about, and only time will tell, is how much IP spoofing will continue to play a part in lsrge DDOS attacks? Why bother spoofing IPs if your botnet herd is already large enough to bring someone offline?
2) Go and download CAIDA's Spoofer application. Test it and give them bug reports. I gave them one a few weeks ago. https://www.caida.org/projects/spoofer/