Purpose of spoofed packets ???
We recently got an abuse report of an IP address in our net range. However, that IP address isn't in use in our networks and the covering network is null routed, so no return traffic is possible. We have external BGP monitoring, so unless something very tricky is going on, we don't have part of our prefix hijacked. I assume the source address was spoofed, but this leads to my question. Since the person that submitted the report didn't mention a high packet rate (it was on ssh port 22), it doesn't look like some sort of SYN attack, but any OS fingerprinting or doorknob twisting wouldn't be useful from the attacker if the traffic doesn't return to them, so what gives? BTW, we are in the ARIN region, the report came out of the RIPE region. ---- Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-694-5669
On 11 Mar 2015, at 6:40, Matthew Huff wrote:
I assume the source address was spoofed, but this leads to my question. Since the person that submitted the report didn't mention a high packet rate (it was on ssh port 22), it doesn't look like some sort of SYN attack, but any OS fingerprinting or doorknob twisting wouldn't be useful from the attacker if the traffic doesn't return to them, so what gives?
Highly-distributed, pseudo-randomly spoofed SYN-flood happened to momentarily use one of your addresses as a source. pps/source will be relatively low, whilst aggregate at the target will be relatively high. Another very real possibility is that the person or thing which sent you the abuse email doesn't know what he's/it's talking about. ;> ----------------------------------- Roland Dobbins <rdobbins@arbor.net>
Is it possible that they are getting return traffic and it's just a localized activity? The attacker could announce that prefix directly to the target network in an IXP peering session (maybe with no-export) so that it wouldn't set off your bgpmon. I guess that would make more sense if they were doing email spamming instead of ssh though. -Laszlo On Mar 10, 2015, at 11:51 PM, "Roland Dobbins" <rdobbins@arbor.net> wrote:
On 11 Mar 2015, at 6:40, Matthew Huff wrote:
I assume the source address was spoofed, but this leads to my question. Since the person that submitted the report didn't mention a high packet rate (it was on ssh port 22), it doesn't look like some sort of SYN attack, but any OS fingerprinting or doorknob twisting wouldn't be useful from the attacker if the traffic doesn't return to them, so what gives?
Highly-distributed, pseudo-randomly spoofed SYN-flood happened to momentarily use one of your addresses as a source. pps/source will be relatively low, whilst aggregate at the target will be relatively high.
Another very real possibility is that the person or thing which sent you the abuse email doesn't know what he's/it's talking about.
;>
----------------------------------- Roland Dobbins <rdobbins@arbor.net>
Another very real possibility is that the person or thing which sent you the abuse email doesn't know what he's/it's talking about.
Was my first thought, but wanted to run this by everyone in case I was missing something obvious. On 3/10/15, 7:51 PM, "Roland Dobbins" <rdobbins@arbor.net> wrote:
On 11 Mar 2015, at 6:40, Matthew Huff wrote:
I assume the source address was spoofed, but this leads to my question. Since the person that submitted the report didn't mention a high packet rate (it was on ssh port 22), it doesn't look like some sort of SYN attack, but any OS fingerprinting or doorknob twisting wouldn't be useful from the attacker if the traffic doesn't return to them, so what gives?
Highly-distributed, pseudo-randomly spoofed SYN-flood happened to momentarily use one of your addresses as a source. pps/source will be relatively low, whilst aggregate at the target will be relatively high.
Another very real possibility is that the person or thing which sent you the abuse email doesn't know what he's/it's talking about.
;>
----------------------------------- Roland Dobbins <rdobbins@arbor.net>
Interesting... we had exactly the same an hour ago. That IP was definitely nullrouted for >1 week... Matthew Huff:
We recently got an abuse report of an IP address in our net range. However, that IP address isn't in use in our networks and the covering network is null routed, so no return traffic is possible. We have external BGP monitoring, so unless something very tricky is going on, we don't have part of our prefix hijacked.
I assume the source address was spoofed, but this leads to my question. Since the person that submitted the report didn't mention a high packet rate (it was on ssh port 22), it doesn't look like some sort of SYN attack, but any OS fingerprinting or doorknob twisting wouldn't be useful from the attacker if the traffic doesn't return to them, so what gives?
BTW, we are in the ARIN region, the report came out of the RIPE region.
---- Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-694-5669
On Mar 10, 2015, at 4:40 PM, Matthew Huff <mhuff@ox.com> wrote:
We recently got an abuse report of an IP address in our net range. However, that IP address isn't in use in our networks and the covering network is null routed, so no return traffic is possible. We have external BGP monitoring, so unless something very tricky is going on, we don't have part of our prefix hijacked.
I assume the source address was spoofed, but this leads to my question. Since the person that submitted the report didn't mention a high packet rate (it was on ssh port 22), it doesn't look like some sort of SYN attack, but any OS fingerprinting or doorknob twisting wouldn't be useful from the attacker if the traffic doesn't return to them, so what gives?
BTW, we are in the ARIN region, the report came out of the RIPE region.
Either the reporter doesn't know what they're talking about (common enough) or someone is scanning for open ssh ports, hiding their real IP address by burying it in a host of faked source addresses. That's a standard option on some of the stealthier port scanners, IIRC. Cheers, Steve
One more outré purpose for spoofing SIPs is to have you blacklist/nullroute someone, effectively enlisting you to cause a DOS. --p -----Original Message----- From: NANOG [mailto:nanog-bounces+patrick.darden=p66.com@nanog.org] On Behalf Of Matthew Huff Sent: Tuesday, March 10, 2015 6:41 PM To: nanog@nanog.org Subject: [EXTERNAL]Purpose of spoofed packets ??? We recently got an abuse report of an IP address in our net range. However, that IP address isn't in use in our networks and the covering network is null routed, so no return traffic is possible. We have external BGP monitoring, so unless something very tricky is going on, we don't have part of our prefix hijacked. I assume the source address was spoofed, but this leads to my question. Since the person that submitted the report didn't mention a high packet rate (it was on ssh port 22), it doesn't look like some sort of SYN attack, but any OS fingerprinting or doorknob twisting wouldn't be useful from the attacker if the traffic doesn't return to them, so what gives? BTW, we are in the ARIN region, the report came out of the RIPE region. ---- Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-694-5669
participants (6)
-
Darden, Patrick
-
Fred Hollis
-
Laszlo Hanyecz
-
Matthew Huff
-
Roland Dobbins
-
Steve Atkins