[178824] in North American Network Operators' Group
Purpose of spoofed packets ???
daemon@ATHENA.MIT.EDU (Matthew Huff)
Tue Mar 10 19:42:46 2015
X-Original-To: nanog@nanog.org
From: Matthew Huff <mhuff@ox.com>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Tue, 10 Mar 2015 23:40:43 +0000
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
We recently got an abuse report of an IP address in our net range. However,=
that IP address isn't in use in our networks and the covering network is n=
ull routed, so no return traffic is possible. We have external BGP monitori=
ng, so unless something very tricky is going on, we don't have part of our =
prefix hijacked.
I assume the source address was spoofed, but this leads to my question. Sin=
ce the person that submitted the report didn't mention a high packet rate (=
it was on ssh port 22), it doesn't look like some sort of SYN attack, but a=
ny OS fingerprinting or doorknob twisting wouldn't be useful from the attac=
ker if the traffic doesn't return to them, so what gives?
BTW, we are in the ARIN region, the report came out of the RIPE region.
----
Matthew Huff=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 | 1 Manhattanville Rd
Director of Operations=A0=A0=A0| Purchase, NY 10577
OTA Management LLC=A0=A0=A0=A0=A0=A0 | Phone: 914-460-4039
aim: matthewbhuff=A0=A0=A0=A0=A0=A0=A0 | Fax:=A0=A0 914-694-5669
