Is it possible that they are getting return traffic and it's just a localized activity? The attacker could announce that prefix directly to the target network in an IXP peering session (maybe with no-export) so that it wouldn't set off your bgpmon. I guess that would make more sense if they were doing email spamming instead of ssh though.
-Laszlo On Mar 10, 2015, at 11:51 PM, "Roland Dobbins" <rdobb...@arbor.net> wrote: > > On 11 Mar 2015, at 6:40, Matthew Huff wrote: > >> I assume the source address was spoofed, but this leads to my question. >> Since the person that submitted the report didn't mention a high packet rate >> (it was on ssh port 22), it doesn't look like some sort of SYN attack, but >> any OS fingerprinting or doorknob twisting wouldn't be useful from the >> attacker if the traffic doesn't return to them, so what gives? > > Highly-distributed, pseudo-randomly spoofed SYN-flood happened to momentarily > use one of your addresses as a source. pps/source will be relatively low, > whilst aggregate at the target will be relatively high. > > Another very real possibility is that the person or thing which sent you the > abuse email doesn't know what he's/it's talking about. > > ;> > > ----------------------------------- > Roland Dobbins <rdobb...@arbor.net>