[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Purpose of spoofed packets ???

Subject: Purpose of spoofed packets ???
From: rdobbins at arbor.net (Roland Dobbins)
Date: Wed, 11 Mar 2015 06:51:23 +0700
In-reply-to: <[email protected]>
References: <[email protected]>

On 11 Mar 2015, at 6:40, Matthew Huff wrote:

> I assume the source address was spoofed, but this leads to my 
> question. Since the person that submitted the report didn't mention a 
> high packet rate (it was on ssh port 22), it doesn't look like some 
> sort of SYN attack, but any OS fingerprinting or doorknob twisting 
> wouldn't be useful from the attacker if the traffic doesn't return to 
> them, so what gives?

Highly-distributed, pseudo-randomly spoofed SYN-flood happened to 
momentarily use one of your addresses as a source.  pps/source will be 
relatively low, whilst aggregate at the target will be relatively high.

Another very real possibility is that the person or thing which sent you 
the abuse email doesn't know what he's/it's talking about.

;>

-----------------------------------
Roland Dobbins <rdobbins at arbor.net>

Follow-Ups:
- Purpose of spoofed packets ???
  - From: laszlo at heliacal.net (Laszlo Hanyecz)
- Purpose of spoofed packets ???
  - From: mhuff at ox.com (Matthew Huff)

References:
- Purpose of spoofed packets ???
  - From: mhuff at ox.com (Matthew Huff)

Prev by Date: Purpose of spoofed packets ???
Next by Date: Purpose of spoofed packets ???
Previous by thread: Purpose of spoofed packets ???
Next by thread: Purpose of spoofed packets ???
Index(es):
- Date
- Thread