backtracking forged packets?

William Herrin bill at herrin.us
Sun Mar 15 16:50:18 UTC 2020


On Sun, Mar 15, 2020 at 9:07 AM Amir Herzberg <amir.lists at gmail.com> wrote:
> Not sending RST could even result in you receiving ICMP unreachable - esp. indicating filtering as you received - since server admins may have installed a filter against your prefix (to deal with such abuse). So, I wonder, it is possible that your network/FW/provider already filter the RST responses so they don't reach the (victim) servers?

Hi Amir,

To be clear: the majority of the addresses at my end are not
associated with live hosts. There's nothing there to respond.

My surprise about the lack of RSTs is the lack of RSTs from the remote
servers back to the addresses which have been spoofed. If the attacker
was hitting random ports on those hosts, I'd expect to see some RSTs.

If you happen to have decent netflow, try looking for packets sourced
from 199.33.224.0/24. You'll find a legitimate route in your tables
ending at AS11875 but today, at least, there are no legitimate packets
sourced from that address block.

Regards,
Bill


-- 
William Herrin
bill at herrin.us
https://bill.herrin.us/



More information about the NANOG mailing list