RE: Purpose of spoofed packets ???

["Darden, Patrick" <Patrick.Darden () p66 com>]

One more outré purpose for spoofing SIPs is to have you blacklist/nullroute someone, effectively enlisting you to cause 
a DOS.

--p

-----Original Message-----
From: NANOG [mailto:nanog-bounces+patrick.darden=p66.com () nanog org] On Behalf Of Matthew Huff
Sent: Tuesday, March 10, 2015 6:41 PM
To: nanog () nanog org
Subject: [EXTERNAL]Purpose of spoofed packets ???

We recently got an abuse report of an IP address in our net range. However, that IP address isn't in use in our 
networks and the covering network is null routed, so no return traffic is possible. We have external BGP monitoring, so 
unless something very tricky is going on, we don't have part of our prefix hijacked.

I assume the source address was spoofed, but this leads to my question. Since the person that submitted the report 
didn't mention a high packet rate (it was on ssh port 22), it doesn't look like some sort of SYN attack, but any OS 
fingerprinting or doorknob twisting wouldn't be useful from the attacker if the traffic doesn't return to them, so what 
gives?

BTW, we are in the ARIN region, the report came out of the RIPE region.


----
Matthew Huff             | 1 Manhattanville Rd Director of Operations   | Purchase, NY 10577 OTA Management LLC       | 
Phone: 914-460-4039
aim: matthewbhuff        | Fax:   914-694-5669