Re: Purpose of spoofed packets ???

[Laszlo Hanyecz <laszlo () heliacal net>]

Is it possible that they are getting return traffic and it's just a localized activity?  The attacker could announce 
that prefix directly to the target network in an IXP peering session (maybe with no-export) so that it wouldn't set off 
your bgpmon.  I guess that would make more sense if they were doing email spamming instead of ssh though.

-Laszlo

On Mar 10, 2015, at 11:51 PM, "Roland Dobbins" <rdobbins () arbor net> wrote:

> On 11 Mar 2015, at 6:40, Matthew Huff wrote:
>
> > I assume the source address was spoofed, but this leads to my question. Since the person that submitted the report 
> > didn't mention a high packet rate (it was on ssh port 22), it doesn't look like some sort of SYN attack, but any OS 
> > fingerprinting or doorknob twisting wouldn't be useful from the attacker if the traffic doesn't return to them, so 
> > what gives?
>
> Highly-distributed, pseudo-randomly spoofed SYN-flood happened to momentarily use one of your addresses as a source.  
> pps/source will be relatively low, whilst aggregate at the target will be relatively high.
>
> Another very real possibility is that the person or thing which sent you the abuse email doesn't know what he's/it's 
> talking about.
>
> ;>
>
> -----------------------------------
> Roland Dobbins <rdobbins () arbor net>