>> Another very real possibility is that the person or thing which sent >>you >> the abuse email doesn't know what he's/it's talking about.
Was my first thought, but wanted to run this by everyone in case I was missing something obvious. On 3/10/15, 7:51 PM, "Roland Dobbins" <rdobb...@arbor.net> wrote: > >On 11 Mar 2015, at 6:40, Matthew Huff wrote: > >> I assume the source address was spoofed, but this leads to my >> question. Since the person that submitted the report didn't mention a >> high packet rate (it was on ssh port 22), it doesn't look like some >> sort of SYN attack, but any OS fingerprinting or doorknob twisting >> wouldn't be useful from the attacker if the traffic doesn't return to >> them, so what gives? > >Highly-distributed, pseudo-randomly spoofed SYN-flood happened to >momentarily use one of your addresses as a source. pps/source will be >relatively low, whilst aggregate at the target will be relatively high. > >Another very real possibility is that the person or thing which sent you >the abuse email doesn't know what he's/it's talking about. > >;> > >----------------------------------- >Roland Dobbins <rdobb...@arbor.net>