Normally that is an amplification attack, but the spoofed source address would be the victim and you would be the amplifier. They use some service like DNS or NTP where a small packet can generate a much bigger response. By using UDP instead of TCP, the source address can be spoofed, and that address gets the amplified response packets.
It's strange they were studying whether ASNs filter incoming traffic with a source address spoofed as one of their own. The normal topic of conversation is filtering outgoing traffic that is spoofing a source address that is NOT one of your own, or that is a private or reserved address like 192.168.x.x or 10.x.x.x. If all ISPs blocked outgoing traffic from their networks with source IPs that didn't belong to them or their customers, then nobody could spoof source IPs. -----Original Message----- From: AF <[email protected]> On Behalf Of Mark - Myakka Technologies Sent: Monday, October 12, 2020 4:49 PM To: AnimalFarm Microwave Users Group <[email protected]> Subject: [AFMUG] Brigham Young University's Internet Measurement and Anti-Abuse Laboratory I got an e-mail from BYU about IP Spoofing. Looks like they ran some testing during December 2019. "The intent of the experiment was to determine the pervasiveness of networks failing to filter spoofed incoming traffic appearing to originate from within their own networks." Apparently they are going to present the results of this experiment at the Internet Measurement Conference (IMC) 2020 at the end of this month. They sent me the e-mail being my AS failed their test. The e-mail was very well written with proper english and spelling. They weren't asking me for anything, just giving me a heads up. I didn't have any filters in my firewall preventing this, but popped a couple in to see what they caught. Well I am seeing random packets coming in from the outside world with my IP addresses as the source. Looks like they are looking for DNS servers being all traffic so far has been UDP 53. I now have these Firewall rules in place. Is there any reason why I won't want to block these request. I can not think of any valid reason for someone to spoof my IP on incoming packets. -- Thanks, Mark mailto:[email protected] Myakka Technologies, Inc. www.Myakka.com -- AF mailing list [email protected] http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list [email protected] http://af.afmug.com/mailman/listinfo/af_af.afmug.com
