IP source spoofing is a long time problem in crime. Source Address Validation SAV a difficult task and now we get reflective DDoS (rDDoS) attacks. As my domain is cryptography and I am not familiar with forensics suites used in LE, which tools cover this issue best of unicast Reverse Path Forwarding uRPF hacking exploits? In a core network of a large global ISP we are stuck.
May anybody can humble help me please.
There are no tools for this. Only hands on will do, tshark is my recommendation if you want to extract info on a protocol level, or use Wireshark if you want a GUI.
Stuff like TTL, RTT, IP-ID and Sequence numbers is what you can use to determine if you should EXCLUDE an attacker.
My advice, give it up and get some DDOS mitigation and contact ISPs of the attacking nodes to get info, it's easier in the long run. Also check the human connection, anyone pissed off because of some billing screwup? Any political/image problems for the organisation? Disgruntled ex employee?
MDCR thank you for your advice. Will tend towards ISP to solve the issue.