On Jan 28, 2020, at 07:39, Mike Hammett <nanog@ics-il.net> wrote: If someone is being spoofed, they aren't receiving the spoofed packets. How are they supposed to collect anything on the attack? OP stated that *his own network* was being packeted with a TCP reflection/amplification attack. This means that if he's collecting flow telemetry from his edge routers, he sees the details of the resultant attack traffic, & since that attack traffic isn't spoofed from his perspective, he can ask the networks on which the abused reflectors/amplifiers reside, & their peers/transits he can infer, to perform traceback, & work it network-by-network. And even if his network weren't on the receiving end of a reflection/amplification attack, OP could still see backscatter, as Jared indicated. Instrumenting one's network in order to achieve visibility into one's traffic is quite beneficial. It's easy & inexpensive to get started with open-source tools. -------------------------------------------- Roland Dobbins <roland.dobbins@netscout.com>