nanog mailing list archives
Re: syn flood attacks from NL-based netblocks
From: Jim Shankland <nanog () shankland org>
Date: Fri, 16 Aug 2019 18:58:24 -0700
On 8/16/19 3:50 PM, Emille Blanc wrote:
Have been seeing these at $DAYJOB off and on for the past week. First logged events began for on 2019-08-04, at approx 1500hrs PST. Impact for us has been negligible, but some older ASA's were having trouble with the scan volume and their configured log levels which has since been remedied.
Thanks for the various responses. The pattern I (and apparently quite a few others) are seeing differs from an ordinary probe in that it is repeated a few times per second (if somebody wants to know who has a visible ssh server on port 22, and what version of sshd is running, they don't have to hit it multiple times per second). It differs from a SYN flood DoS attack in that its rate is too low to be effective. And it differs from both a port probe and a SYN flood attack (or somebody "learning how to use nmap") in that it is targeting a broad set of destinations in parallel; if source addresses are forged, they are from a fairly narrow set of source IPs.
The atypical pattern seems noteworthy in itself. Not a crisis, but not quite routine, either.
Jim
Current thread:
- syn flood attacks from NL-based netblocks Jim Shankland (Aug 16)
- Re: syn flood attacks from NL-based netblocks Curtis, Bruce (Aug 16)
- Re: syn flood attacks from NL-based netblocks Matt Harris (Aug 16)
- Re: syn flood attacks from NL-based netblocks Jared Smith (Aug 16)
- Re: syn flood attacks from NL-based netblocks Troy Mursch (Aug 16)
- Re: syn flood attacks from NL-based netblocks Jared Smith (Aug 16)
- RE: syn flood attacks from NL-based netblocks Emille Blanc (Aug 16)
- Re: syn flood attacks from NL-based netblocks Jim Shankland (Aug 16)
- Re: syn flood attacks from NL-based netblocks Töma Gavrichenkov (Aug 17)
- Re: syn flood attacks from NL-based netblocks Jim Shankland (Aug 16)
- Re: syn flood attacks from NL-based netblocks Damian Menscher via NANOG (Aug 17)
- Re: syn flood attacks from NL-based netblocks Amir Herzberg (Aug 17)
- Re: syn flood attacks from NL-based netblocks Damian Menscher via NANOG (Aug 17)
- Re: syn flood attacks from NL-based netblocks Amir Herzberg (Aug 17)
- Re: syn flood attacks from NL-based netblocks Amir Herzberg (Aug 17)
- Re: syn flood attacks from NL-based netblocks Jim Shankland (Aug 17)
- Re: syn flood attacks from NL-based netblocks Mike (Aug 17)
- Re: syn flood attacks from NL-based netblocks Amir Herzberg (Aug 18)
- Re: syn flood attacks from NL-based netblocks Mike (Aug 18)
- Re: syn flood attacks from NL-based netblocks Töma Gavrichenkov (Aug 19)
- Re: syn flood attacks from NL-based netblocks Amir Herzberg (Aug 18)