Hi Bill,
thanks for sharing the data. Indeed, I can’t offer you a way to backtrack the spoofed packets.
Anyway, I’m not sure what could you do legally as there is a very high chance that these people are not in the USA and the CFAA won’t apply to them.
Here is what I would do if I was in your situation.
Since these packets are spoof and malformed, I would block all SYN/ACK based on the length.
Depending on your hardware, it’s very easy to inspect only the SYN/ACK by length if you have modern hardware. On linux/unix, it’s also very straightforward. I’m not sure for windows though.
Here is the details of the analysis:
Today, all the SYN and SYN/ACK includes a minimum of options like MSS, WS, SACK, NOP (Only a spacer, sometimes 2) and extended TS. There might be others, but let’s use the basic one.
In your case, there are none. There is only MSS and the SYN length is 44 bytes. These are spoof packets maybe generated by either TCP-AMP like reported earlier.
I would try to block all SYN/ACK coming toward your network with a length of 44 bytes or lower. But, this is weird because it should be 54 bytes. Maybe there is some offloading of some sort in your gear.
Now depending on your hardware, it could work or it could kill your router as it will punt the cpu. I guess you have some modern gear.
What I do when I am not sure about the length, I start to accept and log at 60 bytes, then 58, 56, 54… 44 until I catch the gremlins.
Once you found the sweet spot, you drop all SYN/ACK toward your /23 lower than X bytes. It won’t kill or block anything legitimate if you do it properly.
What will happen is that you will not reply to these spoof SYN/ACK with a RST and still allowing RST for legit SYN and SYN/ACK. Akamai and your service providers will be happy and should not penalize you.
I’m pretty sure that it will help you as it did for me in the past.
Let me know if it’s not clear and/or which part is foggy and I’ll try to give more details and better explanation.
Regards,
Jean St-Laurent