[178826] in North American Network Operators' Group
Re: Purpose of spoofed packets ???
daemon@ATHENA.MIT.EDU (Fred Hollis)
Tue Mar 10 19:54:56 2015
X-Original-To: nanog@nanog.org
Date: Wed, 11 Mar 2015 00:53:43 +0100
From: Fred Hollis <fred@web2objects.com>
To: nanog@nanog.org
In-Reply-To: <851dacde19f14eeca82d0c9b6aff89c8@pur-vm-exch13n1.ox.com>
Errors-To: nanog-bounces@nanog.org
Interesting... we had exactly the same an hour ago. That IP was
definitely nullrouted for >1 week...
Matthew Huff:
> We recently got an abuse report of an IP address in our net range. However, that IP address isn't in use in our networks and the covering network is null routed, so no return traffic is possible. We have external BGP monitoring, so unless something very tricky is going on, we don't have part of our prefix hijacked.
>
> I assume the source address was spoofed, but this leads to my question. Since the person that submitted the report didn't mention a high packet rate (it was on ssh port 22), it doesn't look like some sort of SYN attack, but any OS fingerprinting or doorknob twisting wouldn't be useful from the attacker if the traffic doesn't return to them, so what gives?
>
> BTW, we are in the ARIN region, the report came out of the RIPE region.
>
>
> ----
> Matthew Huff | 1 Manhattanville Rd
> Director of Operations | Purchase, NY 10577
> OTA Management LLC | Phone: 914-460-4039
> aim: matthewbhuff | Fax: 914-694-5669
>
