nanog mailing list archives
Re: syn flood attacks from NL-based netblocks
From: Jim Shankland <nanog () shankland org>
Date: Sat, 17 Aug 2019 19:57:10 -0700
On 8/17/19 3:16 PM, Damian Menscher wrote:
On Fri, Aug 16, 2019 at 3:05 PM Jim Shankland <nanog () shankland org <mailto:nanog () shankland org>> wrote:That thought crossed my mind, but it seems to me that the weak amplification factor, plus the broadly distributed set of forged source addresses (within the blocks cited above), would make the attack ineffective -- the whole point of DDoS being to focus a broadly distributed set of (illegitimately obtained) source resources on a narrow set of destination targets. Attacking 2 /18 blocks plus a /21 block in parallel with a weak-amplification attack doesn't look like a successful DDoS strategy to me.I'm seeing slow-motion (a few per second, per IP/port pair) syn flood attacks ostensibly originating from 3 NL-based IP blocks: 88.208.0.0/18 <http://88.208.0.0/18> , 5.11.80.0/21 <http://5.11.80.0/21>, and 78.140.128.0/18 <http://78.140.128.0/18> ("ostensibly" because ... syn flood, and BCP 38 not yet fully adopted). Is anybody else seeing the same thing? Any thoughts on what's going on? Or should I just be ignoring this and getting on with the weekend?This appears to be a TCP amplification attack. Similar to UDP amplification (DNS, NTP, etc) you can get some amplification by sending a SYN packet with a spoofed source, and watching your victims receive multiple SYN-ACK retries. It's a fairly weak form of attack (as the amplification factor is small), but if the victim's gear is vulnerable to high packet rates it may be effective.
Jim
The victim (or law enforcement) could identify the true source of the attack by asking transit providers to check their netflow to see where it enters their networks.Damian
Current thread:
- Re: syn flood attacks from NL-based netblocks, (continued)
- Re: syn flood attacks from NL-based netblocks Matt Harris (Aug 16)
- Re: syn flood attacks from NL-based netblocks Jared Smith (Aug 16)
- Re: syn flood attacks from NL-based netblocks Troy Mursch (Aug 16)
- Re: syn flood attacks from NL-based netblocks Jared Smith (Aug 16)
- RE: syn flood attacks from NL-based netblocks Emille Blanc (Aug 16)
- Re: syn flood attacks from NL-based netblocks Jim Shankland (Aug 16)
- Re: syn flood attacks from NL-based netblocks Töma Gavrichenkov (Aug 17)
- Re: syn flood attacks from NL-based netblocks Jim Shankland (Aug 16)
- Re: syn flood attacks from NL-based netblocks Damian Menscher via NANOG (Aug 17)
- Re: syn flood attacks from NL-based netblocks Amir Herzberg (Aug 17)
- Re: syn flood attacks from NL-based netblocks Damian Menscher via NANOG (Aug 17)
- Re: syn flood attacks from NL-based netblocks Amir Herzberg (Aug 17)
- Re: syn flood attacks from NL-based netblocks Amir Herzberg (Aug 17)
- Re: syn flood attacks from NL-based netblocks Jim Shankland (Aug 17)
- Re: syn flood attacks from NL-based netblocks Matt Harris (Aug 16)
- Re: syn flood attacks from NL-based netblocks Mike (Aug 17)
- Re: syn flood attacks from NL-based netblocks Amir Herzberg (Aug 18)
- Re: syn flood attacks from NL-based netblocks Mike (Aug 18)
- Re: syn flood attacks from NL-based netblocks Töma Gavrichenkov (Aug 19)
- Re: syn flood attacks from NL-based netblocks Damian Menscher via NANOG (Aug 18)
- Re: syn flood attacks from NL-based netblocks Töma Gavrichenkov (Aug 19)
- Re: syn flood attacks from NL-based netblocks Damian Menscher via NANOG (Aug 19)
- Re: syn flood attacks from NL-based netblocks Töma Gavrichenkov (Aug 19)
- Re: syn flood attacks from NL-based netblocks Valdis Klētnieks (Aug 19)
- Re: syn flood attacks from NL-based netblocks Töma Gavrichenkov (Aug 19)
- Re: syn flood attacks from NL-based netblocks Amir Herzberg (Aug 18)