Is it possible to find the actual source IP of a packet with a spoofed IP header?
772
I recently came under a DDoS attack. It was a SYN flood using spoofed IPs. Is it at all possible to trace the attack back to the actual sending server?
No is the effective answer. It is not the absolute answer since a theoretical condition exists where one could successively ask each upstream connection to the next to look at their complete dump of traffic and tell you where the packet came from. In a sustained attack with a lot of volume from a single source, one might be able to do this with live data and filtering over a period of time with the help of each successive upstream system owner.
But for all realistic and likely scenarios, you'll never find the source of some single spoofed packet, or even many of them.
IP packets don't contain any information about the path they traversed (with the exception of the TTL header, but that wouldn't tell you what it was initially).
So there is no practical way to do this. You could contact your upstream provider, and they might be able to tell roughly where it came from if they have large network. But unless it is a serious recurring problem you are out of luck.
If you are interested in a more academic side, or what a internet provider might do go read this article.
No is the effective answer. It is not the absolute answer since a theoretical condition exists where one could successively ask each upstream connection to the next to look at their complete dump of traffic and tell you where the packet came from. In a sustained attack with a lot of volume from a single source, one might be able to do this with live data and filtering over a period of time with the help of each successive upstream system owner.
But for all realistic and likely scenarios, you'll never find the source of some single spoofed packet, or even many of them.
IP packets don't contain any information about the path they traversed (with the exception of the TTL header, but that wouldn't tell you what it was initially).
So there is no practical way to do this. You could contact your upstream provider, and they might be able to tell roughly where it came from if they have large network. But unless it is a serious recurring problem you are out of luck.
If you are interested in a more academic side, or what a internet provider might do go read this article.