RE: Purpose of spoofed packets ???

2015-03-11 Thread Darden, Patrick
To: nanog@nanog.org Subject: [EXTERNAL]Purpose of spoofed packets ??? We recently got an abuse report of an IP address in our net range. However, that IP address isn't in use in our networks and the covering network is null routed, so no return traffic is possible. We have external BGP monitoring, so

Re: Purpose of spoofed packets ???

2015-03-10 Thread Steve Atkins
On Mar 10, 2015, at 4:40 PM, Matthew Huff mh...@ox.com wrote: We recently got an abuse report of an IP address in our net range. However, that IP address isn't in use in our networks and the covering network is null routed, so no return traffic is possible. We have external BGP monitoring,

Re: Purpose of spoofed packets ???

2015-03-10 Thread Bacon Zombie
Nmap has an option to hide your real IP among either a provides or IP list of IP addresses. D ***decoy1***[,***decoy2***][,ME][,...] (Cloak a scan with decoys) Causes a decoy scan to be performed, which makes it appear to the remote host that the host(s) you specify as decoys are scanning the

Purpose of spoofed packets ???

2015-03-10 Thread Matthew Huff
We recently got an abuse report of an IP address in our net range. However, that IP address isn't in use in our networks and the covering network is null routed, so no return traffic is possible. We have external BGP monitoring, so unless something very tricky is going on, we don't have part of

Re: Purpose of spoofed packets ???

2015-03-10 Thread Roland Dobbins
On 11 Mar 2015, at 6:40, Matthew Huff wrote: I assume the source address was spoofed, but this leads to my question. Since the person that submitted the report didn't mention a high packet rate (it was on ssh port 22), it doesn't look like some sort of SYN attack, but any OS fingerprinting

Re: Purpose of spoofed packets ???

2015-03-10 Thread Fred Hollis
Interesting... we had exactly the same an hour ago. That IP was definitely nullrouted for 1 week... Matthew Huff: We recently got an abuse report of an IP address in our net range. However, that IP address isn't in use in our networks and the covering network is null routed, so no return

Re: Purpose of spoofed packets ???

2015-03-10 Thread Laszlo Hanyecz
Is it possible that they are getting return traffic and it's just a localized activity? The attacker could announce that prefix directly to the target network in an IXP peering session (maybe with no-export) so that it wouldn't set off your bgpmon. I guess that would make more sense if they

Re: Purpose of spoofed packets ???

2015-03-10 Thread Matthew Huff
Another very real possibility is that the person or thing which sent you the abuse email doesn't know what he's/it's talking about. Was my first thought, but wanted to run this by everyone in case I was missing something obvious. On 3/10/15, 7:51 PM, Roland Dobbins rdobb...@arbor.net