Re: backtracking forged packets?

[Amir Herzberg <amir.lists () gmail com>]

Bill said:

To be clear: the majority of the addresses at my end are not
> associated with live hosts. There's nothing there to respond.

I forgot to ask/mention , but that's actually a common scenario. Of course
in that case your router is _supposed_ to respond with ICMP host
unreachable which would have similar impact to RST (but I bet it doesn't -
which spec says to do it, many routers are not configured to do this). So
attackers may idd have identified your address block as a good set of IP
addresses to spoof when they attack different servers. It may help , if you
configure your router to send ICMP unreachable (or RST, but that may be
harder/less efficient, I think). Initially, this will cause the victim
servers to stop re-sending you the syn/ack, so you'll feel some relief, and
also you'll reduce the attack on these servers, which is A Good Deed.
Eventually, hopefully, this may cause attackers to remove your IP prefix
from their list of IP addresses which work well as spoofed source, but this
will probably take quite a while. Sorry...

> My surprise about the lack of RSTs is the lack of RSTs from the remote
> servers back to the addresses which have been spoofed. If the attacker
> was hitting random ports on those hosts, I'd expect to see some RSTs.

yes, but I bet attacker is not hitting random ports, attacker is hitting
real servers in TCP listen.

(sorry don't have time to netflow... have tons of work to do)

-- 
Amir Herzberg

Comcast professor of Security Innovations, University of Connecticut

Homepage: https://sites.google.com/site/amirherzberg/home

Foundations of Cyber-Security (part I: applied crypto, part II:
network-security):
https://www.researchgate.net/project/Foundations-of-Cyber-Security



On Sun, Mar 15, 2020 at 12:50 PM William Herrin <bill () herrin us> wrote:

> On Sun, Mar 15, 2020 at 9:07 AM Amir Herzberg <amir.lists () gmail com>
> wrote:
> > Not sending RST could even result in you receiving ICMP unreachable -
> esp. indicating filtering as you received - since server admins may have
> installed a filter against your prefix (to deal with such abuse). So, I
> wonder, it is possible that your network/FW/provider already filter the RST
> responses so they don't reach the (victim) servers?
>
> Hi Amir,
>
> To be clear: the majority of the addresses at my end are not
> associated with live hosts. There's nothing there to respond.
>
> My surprise about the lack of RSTs is the lack of RSTs from the remote
> servers back to the addresses which have been spoofed. If the attacker
> was hitting random ports on those hosts, I'd expect to see some RSTs.
>
> If you happen to have decent netflow, try looking for packets sourced
> from 199.33.224.0/24. You'll find a legitimate route in your tables
> ending at AS11875 but today, at least, there are no legitimate packets
> sourced from that address block.
>
> Regards,
> Bill
>
>
> --
> William Herrin
> bill () herrin us
> https://bill.herrin.us/