On 2020-03-13 23:23, William Herrin wrote:
Can anyone suggest tools, techniques and helpful contacts for backtracking spoofed packets? At the moment someone is forging TCP syns from my address block. I'm getting the syn/ack and icmp unreachable backscatter. Enough that my service provider briefly classified it a DDOS. I'd love to find the culprit.
FWIW, Bellovin et al proposed an ICMP traceback mechanism in 2001 ( https://tools.ietf.org/html/draft-ietf-itrace-04 ), but it seems not to have progressed. Abstract: It is often useful to learn the path that packets take through the Internet, especially when dealing with certain denial-of-service attacks. We propose a new ICMP message, emitted randomly by routers along the path and sent randomly to the destination (to provide useful information to the attacked party) or to the origin (to provide information to decipher reflector attacks). -- Chuck Polisher