Purpose of spoofed packets ???
mhuff at ox.com
Wed Mar 11 00:16:00 UTC 2015
>> Another very real possibility is that the person or thing which sent
>> the abuse email doesn't know what he's/it's talking about.
Was my first thought, but wanted to run this by everyone in case I was
missing something obvious.
On 3/10/15, 7:51 PM, "Roland Dobbins" <rdobbins at arbor.net> wrote:
>On 11 Mar 2015, at 6:40, Matthew Huff wrote:
>> I assume the source address was spoofed, but this leads to my
>> question. Since the person that submitted the report didn't mention a
>> high packet rate (it was on ssh port 22), it doesn't look like some
>> sort of SYN attack, but any OS fingerprinting or doorknob twisting
>> wouldn't be useful from the attacker if the traffic doesn't return to
>> them, so what gives?
>Highly-distributed, pseudo-randomly spoofed SYN-flood happened to
>momentarily use one of your addresses as a source. pps/source will be
>relatively low, whilst aggregate at the target will be relatively high.
>Another very real possibility is that the person or thing which sent you
>the abuse email doesn't know what he's/it's talking about.
>Roland Dobbins <rdobbins at arbor.net>
More information about the NANOG