RE: syn flood attacks from NL-based netblocks

[Emille Blanc <emille () abccommunications com>]

Have been seeing these at $DAYJOB off and on for the past week.
First logged events began for on 2019-08-04, at approx 1500hrs PST.

Impact for us has been negligible, but some older ASA's were having trouble with the scan volume and their configured 
log levels which has since been remedied.

-----Original Message-----
From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of Jim Shankland
Sent: Friday, August 16, 2019 3:05 PM
To: nanog () nanog org
Subject: syn flood attacks from NL-based netblocks

Greetings,

I'm seeing slow-motion (a few per second, per IP/port pair) syn flood 
attacks ostensibly originating from 3 NL-based IP blocks: 88.208.0.0/18 
, 5.11.80.0/21, and 78.140.128.0/18 ("ostensibly" because ... syn flood, 
and BCP 38 not yet fully adopted).

Why is this syn flood different from all other syn floods? Well ...

1. Rate seems too slow to do any actual damage (is anybody really 
bothered by a few bad SYN packets per second per service, at this 
point?); but

2. IPs/port combinations with actual open services are being targeted 
(I'm seeing ports 22, 443, and 53, just at a glance, to specific IPs 
with those services running), implying somebody checked for open 
services first;

3. I'm seeing this in at least 2 locations, to addresses in different, 
completely unrelated ASes, implying it may be pretty widespread.

Is anybody else seeing the same thing? Any thoughts on what's going on? 
Or should I just be ignoring this and getting on with the weekend?

Jim