Purpose of spoofed packets ???

Matthew Huff mhuff at ox.com
Wed Mar 11 00:16:00 UTC 2015


>> Another very real possibility is that the person or thing which sent
>>you 
>> the abuse email doesn't know what he's/it's talking about.

Was my first thought, but wanted to run this by everyone in case I was
missing something obvious.




On 3/10/15, 7:51 PM, "Roland Dobbins" <rdobbins at arbor.net> wrote:

>
>On 11 Mar 2015, at 6:40, Matthew Huff wrote:
>
>> I assume the source address was spoofed, but this leads to my
>> question. Since the person that submitted the report didn't mention a
>> high packet rate (it was on ssh port 22), it doesn't look like some
>> sort of SYN attack, but any OS fingerprinting or doorknob twisting
>> wouldn't be useful from the attacker if the traffic doesn't return to
>> them, so what gives?
>
>Highly-distributed, pseudo-randomly spoofed SYN-flood happened to
>momentarily use one of your addresses as a source.  pps/source will be
>relatively low, whilst aggregate at the target will be relatively high.
>
>Another very real possibility is that the person or thing which sent you
>the abuse email doesn't know what he's/it's talking about.
>
>;>
>
>-----------------------------------
>Roland Dobbins <rdobbins at arbor.net>



More information about the NANOG mailing list