[178827] in North American Network Operators' Group
Re: Purpose of spoofed packets ???
daemon@ATHENA.MIT.EDU (Laszlo Hanyecz)
Tue Mar 10 20:01:51 2015
X-Original-To: nanog@nanog.org
From: Laszlo Hanyecz <laszlo@heliacal.net>
In-Reply-To: <065A0501-2DDE-4216-B785-D3D72E14A635@arbor.net>
Date: Wed, 11 Mar 2015 00:01:43 +0000
To: "Roland Dobbins" <rdobbins@arbor.net>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
Is it possible that they are getting return traffic and it's just a =
localized activity? The attacker could announce that prefix directly to =
the target network in an IXP peering session (maybe with no-export) so =
that it wouldn't set off your bgpmon. I guess that would make more =
sense if they were doing email spamming instead of ssh though.
-Laszlo
On Mar 10, 2015, at 11:51 PM, "Roland Dobbins" <rdobbins@arbor.net> =
wrote:
>=20
> On 11 Mar 2015, at 6:40, Matthew Huff wrote:
>=20
>> I assume the source address was spoofed, but this leads to my =
question. Since the person that submitted the report didn't mention a =
high packet rate (it was on ssh port 22), it doesn't look like some sort =
of SYN attack, but any OS fingerprinting or doorknob twisting wouldn't =
be useful from the attacker if the traffic doesn't return to them, so =
what gives?
>=20
> Highly-distributed, pseudo-randomly spoofed SYN-flood happened to =
momentarily use one of your addresses as a source. pps/source will be =
relatively low, whilst aggregate at the target will be relatively high.
>=20
> Another very real possibility is that the person or thing which sent =
you the abuse email doesn't know what he's/it's talking about.
>=20
> ;>
>=20
> -----------------------------------
> Roland Dobbins <rdobbins@arbor.net>
