[178828] in North American Network Operators' Group
Re: Purpose of spoofed packets ???
daemon@ATHENA.MIT.EDU (Matthew Huff)
Tue Mar 10 20:16:03 2015
X-Original-To: nanog@nanog.org
From: Matthew Huff <mhuff@ox.com>
To: Roland Dobbins <rdobbins@arbor.net>, "nanog@nanog.org" <nanog@nanog.org>
Date: Wed, 11 Mar 2015 00:16:00 +0000
In-Reply-To: <065A0501-2DDE-4216-B785-D3D72E14A635@arbor.net>
Errors-To: nanog-bounces@nanog.org
>> Another very real possibility is that the person or thing which sent
>>you=20
>> the abuse email doesn't know what he's/it's talking about.
Was my first thought, but wanted to run this by everyone in case I was
missing something obvious.
On 3/10/15, 7:51 PM, "Roland Dobbins" <rdobbins@arbor.net> wrote:
>
>On 11 Mar 2015, at 6:40, Matthew Huff wrote:
>
>> I assume the source address was spoofed, but this leads to my
>> question. Since the person that submitted the report didn't mention a
>> high packet rate (it was on ssh port 22), it doesn't look like some
>> sort of SYN attack, but any OS fingerprinting or doorknob twisting
>> wouldn't be useful from the attacker if the traffic doesn't return to
>> them, so what gives?
>
>Highly-distributed, pseudo-randomly spoofed SYN-flood happened to
>momentarily use one of your addresses as a source. pps/source will be
>relatively low, whilst aggregate at the target will be relatively high.
>
>Another very real possibility is that the person or thing which sent you
>the abuse email doesn't know what he's/it's talking about.
>
>;>
>
>-----------------------------------
>Roland Dobbins <rdobbins@arbor.net>
