nanog mailing list archives
Re: backtracking forged packets?
From: Blake Hudson <blake () ispn net>
Date: Sat, 14 Mar 2020 09:51:29 -0500
It's not complete, but if you're receiving the ICMP net/port unreachable backscatter it should include a portion of the original packet. This might provide some insight into the TTL left on TCP the packet when it reached its destination which could provide a rough radius that you would need to look at. Also, if the TTL is constant it would support the idea that one or few hosts are spoofing your address block, but if the TTL varies widely it might indicate that many bots are spoofing your address block.
You might check looking glass tools or something like https://radar.qrator.net to see if someone is not only spoofing your address range, but has gone farther and has hijacked it.
Good luck, --B On 3/14/2020 1:23 AM, William Herrin wrote:
Howdy, Can anyone suggest tools, techniques and helpful contacts for backtracking spoofed packets? At the moment someone is forging TCP syns from my address block. I'm getting the syn/ack and icmp unreachable backscatter. Enough that my service provider briefly classified it a DDOS. I'd love to find the culprit. Thanks, Bill Herrin
Current thread:
- Re: backtracking forged packets?, (continued)
- Re: backtracking forged packets? Alain Hebert (Mar 16)
- Re: backtracking forged packets? William Herrin (Mar 14)
- Re: backtracking forged packets? Jean | ddostest.me via NANOG (Mar 14)
- Re: backtracking forged packets? Damian Menscher via NANOG (Mar 14)
- Re: backtracking forged packets? Amir Herzberg (Mar 15)
- Re: backtracking forged packets? Jean | ddostest.me via NANOG (Mar 15)
- Re: backtracking forged packets? William Herrin (Mar 15)
- Re: backtracking forged packets? Amir Herzberg (Mar 15)
- Re: backtracking forged packets? Octolus Development (Mar 15)