nanog mailing list archives
Re: Purpose of spoofed packets ???
From: Steve Atkins <steve () blighty com>
Date: Tue, 10 Mar 2015 18:15:04 -0700
On Mar 10, 2015, at 4:40 PM, Matthew Huff <mhuff () ox com> wrote:
We recently got an abuse report of an IP address in our net range. However, that IP address isn't in use in our networks and the covering network is null routed, so no return traffic is possible. We have external BGP monitoring, so unless something very tricky is going on, we don't have part of our prefix hijacked. I assume the source address was spoofed, but this leads to my question. Since the person that submitted the report didn't mention a high packet rate (it was on ssh port 22), it doesn't look like some sort of SYN attack, but any OS fingerprinting or doorknob twisting wouldn't be useful from the attacker if the traffic doesn't return to them, so what gives? BTW, we are in the ARIN region, the report came out of the RIPE region.
Either the reporter doesn't know what they're talking about (common enough) or someone is scanning for open ssh ports, hiding their real IP address by burying it in a host of faked source addresses. That's a standard option on some of the stealthier port scanners, IIRC. Cheers, Steve
Current thread:
- Purpose of spoofed packets ??? Matthew Huff (Mar 10)
- Re: Purpose of spoofed packets ??? Roland Dobbins (Mar 10)
- Re: Purpose of spoofed packets ??? Laszlo Hanyecz (Mar 10)
- Re: Purpose of spoofed packets ??? Matthew Huff (Mar 10)
- Re: Purpose of spoofed packets ??? Fred Hollis (Mar 10)
- Re: Purpose of spoofed packets ??? Steve Atkins (Mar 10)
- Message not available
- Re: Purpose of spoofed packets ??? Bacon Zombie (Mar 10)
- Re: Purpose of spoofed packets ??? Matthew Huff (Mar 11)
- Message not available
- Re: Purpose of spoofed packets ??? Roland Dobbins (Mar 10)
- RE: Purpose of spoofed packets ??? Darden, Patrick (Mar 11)