nanog mailing list archives
Re: syn flood attacks from NL-based netblocks
From: "Curtis, Bruce" <bruce.curtis () ndsu edu>
Date: Fri, 16 Aug 2019 22:18:28 +0000
On Aug 16, 2019, at 5:04 PM, Jim Shankland <nanog () shankland org<mailto:nanog () shankland org>> wrote: Greetings, I'm seeing slow-motion (a few per second, per IP/port pair) syn flood attacks ostensibly originating from 3 NL-based IP blocks: 88.208.0.0/18 , 5.11.80.0/21, and 78.140.128.0/18 ("ostensibly" because ... syn flood, and BCP 38 not yet fully adopted). Why is this syn flood different from all other syn floods? Well ... 1. Rate seems too slow to do any actual damage (is anybody really bothered by a few bad SYN packets per second per service, at this point?); but 2. IPs/port combinations with actual open services are being targeted (I'm seeing ports 22, 443, and 53, just at a glance, to specific IPs with those services running), implying somebody checked for open services first; 3. I'm seeing this in at least 2 locations, to addresses in different, completely unrelated ASes, implying it may be pretty widespread. Is anybody else seeing the same thing? Any thoughts on what's going on? Or should I just be ignoring this and getting on with the weekend? Jim We are seeing that here also. Saw similar traffic ostensibly originating from NL at least as long ago as last Sunday August 17. — Bruce Curtis bruce.curtis () ndsu edu<mailto:bruce.curtis () ndsu edu> Certified NetAnalyst II 701-231-8527 North Dakota State University
Current thread:
- syn flood attacks from NL-based netblocks Jim Shankland (Aug 16)
- Re: syn flood attacks from NL-based netblocks Curtis, Bruce (Aug 16)
- Re: syn flood attacks from NL-based netblocks Matt Harris (Aug 16)
- Re: syn flood attacks from NL-based netblocks Jared Smith (Aug 16)
- Re: syn flood attacks from NL-based netblocks Troy Mursch (Aug 16)
- Re: syn flood attacks from NL-based netblocks Jared Smith (Aug 16)
- RE: syn flood attacks from NL-based netblocks Emille Blanc (Aug 16)
- Re: syn flood attacks from NL-based netblocks Jim Shankland (Aug 16)
- Re: syn flood attacks from NL-based netblocks Töma Gavrichenkov (Aug 17)
- Re: syn flood attacks from NL-based netblocks Jim Shankland (Aug 16)
- Re: syn flood attacks from NL-based netblocks Damian Menscher via NANOG (Aug 17)
- Re: syn flood attacks from NL-based netblocks Amir Herzberg (Aug 17)
- Re: syn flood attacks from NL-based netblocks Damian Menscher via NANOG (Aug 17)
- Re: syn flood attacks from NL-based netblocks Amir Herzberg (Aug 17)
- Re: syn flood attacks from NL-based netblocks Amir Herzberg (Aug 17)