backtracking forged packets?

Blake Hudson blake at ispn.net
Sat Mar 14 14:51:29 UTC 2020


It's not complete, but if you're receiving the ICMP net/port unreachable 
backscatter it should include a portion of the original packet. This 
might provide some insight into the TTL left on TCP the packet when it 
reached its destination which could provide a rough radius that you 
would need to look at. Also, if the TTL is constant it would support the 
idea that one or few hosts are spoofing your address block, but if the 
TTL varies widely it might indicate that many bots are spoofing your 
address block.

You might check looking glass tools or something like 
https://radar.qrator.net to see if someone is not only spoofing your 
address range, but has gone farther and has hijacked it.

Good luck,
--B

On 3/14/2020 1:23 AM, William Herrin wrote:
> Howdy,
>
> Can anyone suggest tools, techniques and helpful contacts for
> backtracking spoofed packets? At the moment someone is forging TCP
> syns from my address block. I'm getting the syn/ack and icmp
> unreachable backscatter. Enough that my service provider briefly
> classified it a DDOS. I'd love to find the culprit.
>
> Thanks,
> Bill Herrin
>




More information about the NANOG mailing list