[178829] in North American Network Operators' Group
Re: Purpose of spoofed packets ???
daemon@ATHENA.MIT.EDU (Steve Atkins)
Tue Mar 10 21:15:15 2015
X-Original-To: nanog@nanog.org
From: Steve Atkins <steve@blighty.com>
In-Reply-To: <851dacde19f14eeca82d0c9b6aff89c8@pur-vm-exch13n1.ox.com>
Date: Tue, 10 Mar 2015 18:15:04 -0700
To: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Mar 10, 2015, at 4:40 PM, Matthew Huff <mhuff@ox.com> wrote:
> We recently got an abuse report of an IP address in our net range. =
However, that IP address isn't in use in our networks and the covering =
network is null routed, so no return traffic is possible. We have =
external BGP monitoring, so unless something very tricky is going on, we =
don't have part of our prefix hijacked.
>=20
> I assume the source address was spoofed, but this leads to my =
question. Since the person that submitted the report didn't mention a =
high packet rate (it was on ssh port 22), it doesn't look like some sort =
of SYN attack, but any OS fingerprinting or doorknob twisting wouldn't =
be useful from the attacker if the traffic doesn't return to them, so =
what gives?
>=20
> BTW, we are in the ARIN region, the report came out of the RIPE =
region.
Either the reporter doesn't know what they're talking about (common =
enough) or someone is scanning for open ssh ports, hiding their real IP =
address by burying it in a host of faked source addresses. That's a =
standard option on some of the stealthier port scanners, IIRC.
Cheers,
Steve
