Purpose of spoofed packets ???
laszlo at heliacal.net
Wed Mar 11 00:01:43 UTC 2015
Is it possible that they are getting return traffic and it's just a localized activity? The attacker could announce that prefix directly to the target network in an IXP peering session (maybe with no-export) so that it wouldn't set off your bgpmon. I guess that would make more sense if they were doing email spamming instead of ssh though.
On Mar 10, 2015, at 11:51 PM, "Roland Dobbins" <rdobbins at arbor.net> wrote:
> On 11 Mar 2015, at 6:40, Matthew Huff wrote:
>> I assume the source address was spoofed, but this leads to my question. Since the person that submitted the report didn't mention a high packet rate (it was on ssh port 22), it doesn't look like some sort of SYN attack, but any OS fingerprinting or doorknob twisting wouldn't be useful from the attacker if the traffic doesn't return to them, so what gives?
> Highly-distributed, pseudo-randomly spoofed SYN-flood happened to momentarily use one of your addresses as a source. pps/source will be relatively low, whilst aggregate at the target will be relatively high.
> Another very real possibility is that the person or thing which sent you the abuse email doesn't know what he's/it's talking about.
> Roland Dobbins <rdobbins at arbor.net>
More information about the NANOG