nanog mailing list archives
Re: Purpose of spoofed packets ???
From: Matthew Huff <mhuff () ox com>
Date: Wed, 11 Mar 2015 00:16:00 +0000
Another very real possibility is that the person or thing which sent you the abuse email doesn't know what he's/it's talking about.
Was my first thought, but wanted to run this by everyone in case I was missing something obvious. On 3/10/15, 7:51 PM, "Roland Dobbins" <rdobbins () arbor net> wrote:
On 11 Mar 2015, at 6:40, Matthew Huff wrote:I assume the source address was spoofed, but this leads to my question. Since the person that submitted the report didn't mention a high packet rate (it was on ssh port 22), it doesn't look like some sort of SYN attack, but any OS fingerprinting or doorknob twisting wouldn't be useful from the attacker if the traffic doesn't return to them, so what gives?Highly-distributed, pseudo-randomly spoofed SYN-flood happened to momentarily use one of your addresses as a source. pps/source will be relatively low, whilst aggregate at the target will be relatively high. Another very real possibility is that the person or thing which sent you the abuse email doesn't know what he's/it's talking about. ;> ----------------------------------- Roland Dobbins <rdobbins () arbor net>
Current thread:
- Purpose of spoofed packets ??? Matthew Huff (Mar 10)
- Re: Purpose of spoofed packets ??? Roland Dobbins (Mar 10)
- Re: Purpose of spoofed packets ??? Laszlo Hanyecz (Mar 10)
- Re: Purpose of spoofed packets ??? Matthew Huff (Mar 10)
- Re: Purpose of spoofed packets ??? Fred Hollis (Mar 10)
- Re: Purpose of spoofed packets ??? Steve Atkins (Mar 10)
- Message not available
- Re: Purpose of spoofed packets ??? Bacon Zombie (Mar 10)
- Re: Purpose of spoofed packets ??? Matthew Huff (Mar 11)
- Message not available
- Re: Purpose of spoofed packets ??? Roland Dobbins (Mar 10)
- RE: Purpose of spoofed packets ??? Darden, Patrick (Mar 11)