backtracking forged packets?

• Previous message (by thread): backtracking forged packets?
• Next message (by thread): backtracking forged packets?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Mar 14, 2020 at 4:02 AM Jean | ddostest.me via NANOG
<nanog at nanog.org> wrote:
> can you post some forged packets please? You can send them offlist if
> you prefer.

Hi Jean,

Here are a couple examples (PDT this morning):

08:22:43.413250 IP (tos 0x0, ttl 55, id 10108, offset 0, flags [none],
proto ICMP (1), length 56)
    45.89.93.26 > 199.33.225.218: ICMP host 45.89.93.26 unreachable -
admin prohibited filter, length 36
        IP (tos 0x0, ttl 69, id 10108, offset 0, flags [DF], proto TCP
(6), length 40)
    199.33.225.218.9851 > 45.89.93.26.443: [|tcp]
        0x0000:  4500 0038 277c 0000 3701 28da 2d59 5d1a
        0x0010:  c721 e1da 030d 4b61 0000 0000 4500 0028
        0x0020:  277c 4000 4506 dae4 c721 e1da 2d59 5d1a
        0x0030:  267b 01bb a057 e903

08:25:47.787326 IP (tos 0x0, ttl 54, id 0, offset 0, flags [DF], proto
TCP (6), length 44)
    104.87.78.95.80 > 199.33.225.143.8667: Flags [S.], cksum 0xc97a
(correct), seq 1216155085, ack 11765035, win 29200, options [mss
1156], length 0
        0x0000:  4500 002c 0000 4000 3606 e564 6857 4e5f
        0x0010:  c721 e18f 0050 21db 487d 0dcd 00b3 852b
        0x0020:  6012 7210 c97a 0000 0204 0484

I have observed no consistency in the remote IP addresses. I receive
no more than a few of each and they don't line up with particular
networks. Remote ports are heavily 80, 443, 22, 25, etc. but a
smattering of less common ports too. I'm not seeing any RSTs at all
nor any port-unreachables. Lots of syn/acks and a few time exceeded
and host unreachables. I don't know what to make of that.


On Sat, Mar 14, 2020 at 1:46 AM Andrew Smith
<andrew.william.smith at gmail.com> wrote:
> Look inside the ICMP Unreachable backscatter at the truncated original packet that caused the unreachable message.

Clever! I wouldn't have thought of that. Unfortunately as in the
example above, the TTLs in the packets encapsulated in ICMP are not
especially close to one of the common boundaries.

Regards,
Bill Herrin

--
William Herrin
bill at herrin.us
https://bill.herrin.us/

• Previous message (by thread): backtracking forged packets?
• Next message (by thread): backtracking forged packets?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]