nanog mailing list archives

Re: backtracking forged packets?

From: Charles Polisher via NANOG <nanog () nanog org>
Date: Mon, 16 Mar 2020 19:18:33 -0700

On 2020-03-13 23:23, William Herrin wrote:

Can anyone suggest tools, techniques and helpful contacts for
backtracking spoofed packets? At the moment someone is forging TCP
syns from my address block. I'm getting the syn/ack and icmp
unreachable backscatter. Enough that my service provider briefly
classified it a DDOS. I'd love to find the culprit.


FWIW, Bellovin et al proposed an ICMP traceback mechanism in 2001
( https://tools.ietf.org/html/draft-ietf-itrace-04 ), but it seems
not to have progressed. Abstract:

     It is often useful to learn the path that packets take through the
     Internet, especially when dealing with certain denial-of-service
     attacks. We propose a new ICMP message, emitted randomly by routers
     along the path and sent randomly to the destination (to provide
     useful information to the attacked party) or to the origin (to
     provide information to decipher reflector attacks).

-- 
Chuck Polisher

Current thread:

Re: backtracking forged packets?, (continued)
- - - Re: backtracking forged packets? Jean | ddostest.me via NANOG (Mar 14)
    - Re: backtracking forged packets? Damian Menscher via NANOG (Mar 14)
    - Re: backtracking forged packets? Amir Herzberg (Mar 15)
    - Re: backtracking forged packets? Jean | ddostest.me via NANOG (Mar 15)
    - Re: backtracking forged packets? William Herrin (Mar 15)
    - Re: backtracking forged packets? Amir Herzberg (Mar 15)
    - Re: backtracking forged packets? Octolus Development (Mar 15)
- Re: backtracking forged packets? Saku Ytti (Mar 14)
- Re: backtracking forged packets? Blake Hudson (Mar 14)
- Re: backtracking forged packets? Damian Menscher via NANOG (Mar 14)
- Re: backtracking forged packets? Charles Polisher via NANOG (Mar 16)
- Re: backtracking forged packets? konrad (Mar 16)