nanog mailing list archives
Re: backtracking forged packets?
From: William Herrin <bill () herrin us>
Date: Sun, 15 Mar 2020 09:50:18 -0700
On Sun, Mar 15, 2020 at 9:07 AM Amir Herzberg <amir.lists () gmail com> wrote:
Not sending RST could even result in you receiving ICMP unreachable - esp. indicating filtering as you received - since server admins may have installed a filter against your prefix (to deal with such abuse). So, I wonder, it is possible that your network/FW/provider already filter the RST responses so they don't reach the (victim) servers?
Hi Amir, To be clear: the majority of the addresses at my end are not associated with live hosts. There's nothing there to respond. My surprise about the lack of RSTs is the lack of RSTs from the remote servers back to the addresses which have been spoofed. If the attacker was hitting random ports on those hosts, I'd expect to see some RSTs. If you happen to have decent netflow, try looking for packets sourced from 199.33.224.0/24. You'll find a legitimate route in your tables ending at AS11875 but today, at least, there are no legitimate packets sourced from that address block. Regards, Bill -- William Herrin bill () herrin us https://bill.herrin.us/
Current thread:
- backtracking forged packets? William Herrin (Mar 13)
- Re: backtracking forged packets? Jean | ddostest.me via NANOG (Mar 14)
- Re: backtracking forged packets? nanog (Mar 14)
- Re: backtracking forged packets? Alain Hebert (Mar 16)
- Re: backtracking forged packets? William Herrin (Mar 14)
- Re: backtracking forged packets? Jean | ddostest.me via NANOG (Mar 14)
- Re: backtracking forged packets? Damian Menscher via NANOG (Mar 14)
- Re: backtracking forged packets? Amir Herzberg (Mar 15)
- Re: backtracking forged packets? Jean | ddostest.me via NANOG (Mar 15)
- Re: backtracking forged packets? William Herrin (Mar 15)
- Re: backtracking forged packets? Amir Herzberg (Mar 15)
- Re: backtracking forged packets? nanog (Mar 14)
- Re: backtracking forged packets? Octolus Development (Mar 15)
- Re: backtracking forged packets? Jean | ddostest.me via NANOG (Mar 14)
- <Possible follow-ups>
- Re: backtracking forged packets? konrad (Mar 16)