Re: syn flood attacks from NL-based netblocks

[Töma Gavrichenkov <ximaera () gmail com>]

On Sat, Aug 17, 2019, 4:59 AM Jim Shankland <nanog () shankland org> wrote:

> On 8/16/19 3:50 PM, Emille Blanc wrote:
> Thanks for the various responses. The pattern I (and apparently quite a
> few others) are seeing differs from an ordinary probe in that it is
> repeated a few times per second (if somebody wants to know who has a
> visible ssh server on port 22, and what version of sshd is running, they
> don't have to hit it multiple times per second). It differs from a SYN
> flood DoS attack in that its rate is too low to be effective. And it
> differs from both a port probe and a SYN flood attack (or somebody
> "learning how to use nmap") in that it is targeting a broad set of
> destinations in parallel

Seen a similar pattern a few years ago.  Discovered it's a couple of
students basically developing mass scanning software for a bachelor's
degree who forgot to turn the running code off production before the summer
break.

That's the white noise of the Internet.  Unless it's hitting you multiple
thousand times/s as opposed to multiple times/s, it's only a matter of
unpaid curiosity to start figuring out the reason. I guess Amazon or
microsoft dot com have quite a museum of that staff.

--
Töma

>