nanog mailing list archives
Re: syn flood attacks from NL-based netblocks
From: Troy Mursch <troy () wolvtech com>
Date: Fri, 16 Aug 2019 15:48:49 -0700
The traffic "from" 88.208.0.0/18, 5.11.80.0/21, and 78.140.128.0/18 doesn't match the packet signatures for Masscan, ZMap, or any other well-known scanner. The traffic is likely spoofed. __ *Troy Mursch* @bad_packets On Fri, Aug 16, 2019 at 3:28 PM Jared Smith <jms () vols utk edu> wrote:
I would think Shodan/Zmap/pick your multi-IP-block-scanning-tool would portray similar behavior. Echoing Matt’s “probably shouldn’t worry” sentiment, this could just be someone running an incantation of such tools for research or recreational purposes. Best, Jared On Aug 16, 2019, 18:21 -0400, Matt Harris , wrote: On Fri, Aug 16, 2019 at 5:05 PM Jim Shankland <nanog () shankland org> wrote: 1. Rate seems too slow to do any actual damage (is anybody really bothered by a few bad SYN packets per second per service, at this point?); but Common technique used by port scanners to evade detection as a DoS attack by fw/ids/etc. 2. IPs/port combinations with actual open services are being targeted (I'm seeing ports 22, 443, and 53, just at a glance, to specific IPs with those services running), implying somebody checked for open services first; Or they're just checking if certain common ports are open with the intention of later trying known exploits against those which are reachable in order to attempt to compromise the hosts. Build the DB of reachable hosts/ports now, come back with exploits later. 3. I'm seeing this in at least 2 locations, to addresses in different, completely unrelated ASes, implying it may be pretty widespread. Sounds like a relatively common pattern though. Is anybody else seeing the same thing? Any thoughts on what's going on? Or should I just be ignoring this and getting on with the weekend? I wouldn't worry too much about it unless you have reason to believe some of the likely-forthcoming exploits may actually work. Of course, if that's the case, you should fix them anyhow. Have a good weekend!
Current thread:
- syn flood attacks from NL-based netblocks Jim Shankland (Aug 16)
- Re: syn flood attacks from NL-based netblocks Curtis, Bruce (Aug 16)
- Re: syn flood attacks from NL-based netblocks Matt Harris (Aug 16)
- Re: syn flood attacks from NL-based netblocks Jared Smith (Aug 16)
- Re: syn flood attacks from NL-based netblocks Troy Mursch (Aug 16)
- Re: syn flood attacks from NL-based netblocks Jared Smith (Aug 16)
- RE: syn flood attacks from NL-based netblocks Emille Blanc (Aug 16)
- Re: syn flood attacks from NL-based netblocks Jim Shankland (Aug 16)
- Re: syn flood attacks from NL-based netblocks Töma Gavrichenkov (Aug 17)
- Re: syn flood attacks from NL-based netblocks Jim Shankland (Aug 16)
- Re: syn flood attacks from NL-based netblocks Damian Menscher via NANOG (Aug 17)
- Re: syn flood attacks from NL-based netblocks Amir Herzberg (Aug 17)
- Re: syn flood attacks from NL-based netblocks Damian Menscher via NANOG (Aug 17)
- Re: syn flood attacks from NL-based netblocks Amir Herzberg (Aug 17)
- Re: syn flood attacks from NL-based netblocks Amir Herzberg (Aug 17)
- Re: syn flood attacks from NL-based netblocks Jim Shankland (Aug 17)
- Re: syn flood attacks from NL-based netblocks Mike (Aug 17)
- Re: syn flood attacks from NL-based netblocks Amir Herzberg (Aug 18)