[178840] in North American Network Operators' Group
RE: Purpose of spoofed packets ???
daemon@ATHENA.MIT.EDU (Darden, Patrick)
Wed Mar 11 11:27:52 2015
X-Original-To: nanog@nanog.org
From: "Darden, Patrick" <Patrick.Darden@p66.com>
To: Matthew Huff <mhuff@ox.com>, "nanog@nanog.org" <nanog@nanog.org>
Date: Wed, 11 Mar 2015 15:27:45 +0000
In-Reply-To: <851dacde19f14eeca82d0c9b6aff89c8@pur-vm-exch13n1.ox.com>
Errors-To: nanog-bounces@nanog.org
One more outr=E9 purpose for spoofing SIPs is to have you blacklist/nullrou=
te someone, effectively enlisting you to cause a DOS.
--p
-----Original Message-----
From: NANOG [mailto:nanog-bounces+patrick.darden=3Dp66.com@nanog.org] On Be=
half Of Matthew Huff
Sent: Tuesday, March 10, 2015 6:41 PM
To: nanog@nanog.org
Subject: [EXTERNAL]Purpose of spoofed packets ???
We recently got an abuse report of an IP address in our net range. However,=
that IP address isn't in use in our networks and the covering network is n=
ull routed, so no return traffic is possible. We have external BGP monitori=
ng, so unless something very tricky is going on, we don't have part of our =
prefix hijacked.
I assume the source address was spoofed, but this leads to my question. Sin=
ce the person that submitted the report didn't mention a high packet rate (=
it was on ssh port 22), it doesn't look like some sort of SYN attack, but a=
ny OS fingerprinting or doorknob twisting wouldn't be useful from the attac=
ker if the traffic doesn't return to them, so what gives?
BTW, we are in the ARIN region, the report came out of the RIPE region.
----
Matthew Huff=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 | 1 Manhattanville Rd Dire=
ctor of Operations=A0=A0=A0| Purchase, NY 10577 OTA Management LLC=A0=A0=A0=
=A0=A0=A0 | Phone: 914-460-4039
aim: matthewbhuff=A0=A0=A0=A0=A0=A0=A0 | Fax:=A0=A0 914-694-5669
