Re: syn flood attacks from NL-based netblocks

[Jim Shankland <nanog () shankland org>]

On 8/16/19 3:50 PM, Emille Blanc wrote:
> Have been seeing these at $DAYJOB off and on for the past week.
> First logged events began for on 2019-08-04, at approx 1500hrs PST.
>
> Impact for us has been negligible, but some older ASA's were having trouble with the scan volume and their configured 
> log levels which has since been remedied.

Thanks for the various responses. The pattern I (and apparently quite a 
few others) are seeing differs from an ordinary probe in that it is 
repeated a few times per second (if somebody wants to know who has a 
visible ssh server on port 22, and what version of sshd is running, they 
don't have to hit it multiple times per second). It differs from a SYN 
flood DoS attack in that its rate is too low to be effective. And it 
differs from both a port probe and a SYN flood attack (or somebody 
"learning how to use nmap") in that it is targeting a broad set of 
destinations in parallel; if source addresses are forged, they are from 
a fairly narrow set of source IPs.

The atypical pattern seems noteworthy in itself. Not a crisis, but not 
quite routine, either.

Jim