18 May
2017
18 May
'17
4:22 a.m.
I still don't see how this is working, unless all routers on the way
implement connection tracking (which is certainly not the case).
So, they send out a spoofed package using a 44 address as origin and then
what? The reply will never get back to them. Instead it will be routed to
the proper real 44 endpoint, either directly for BGP-ed subnets, or via
44.0.0.1, to no end result.
That is why I rather suspect some network using internal 44 addresses as
"private" IPs, overlap our net and sometimes leak out via a non
source-filtered ISP.
I think that is not a legitimate use but an attack
group that spoofs
sender
addresses when sending their attacks and they use net-44 addresses as
well.
To have that go down, more ISPs should implement BCP38 (source address
filtering).