nanog mailing list archives
Re: Reflection DDoS last week (was: syn flood attacks from NL-based netblocks)
From: Amir Herzberg <amir.lists () gmail com>
Date: Wed, 21 Aug 2019 21:45:54 -0400
Töma, thanks for this interesting update. The best defense against this type of DDoS attacks seems idd to be relaying to sufficiently-large-bandwidth cloud/CDN, and filtering TCP traffic (received not from the relay). Such relaying should be done well - smart attacks may still be possible for `naive' relaying. -- Amir On Wed, Aug 21, 2019 at 3:46 PM Töma Gavrichenkov <ximaera () gmail com> wrote:
Peace, Here's to confirm that the pattern reported before in NANOG was indeed a reflection DDoS attack. On Sunday, it also hit our customer, here's the report: https://www.prnewswire.com/news-releases/root-cause-analysis-and-incident-report-on-the-august-ddos-attack-300905405.html tl;dr: basically that was a rather massive reflected SYN/ACK carpet bombing against several datacenter prefixes (no particular target was identified). -- Töma On Sat, Aug 17, 2019, 1:06 AM Jim Shankland <nanog () shankland org> wrote:Greetings, I'm seeing slow-motion (a few per second, per IP/port pair) syn flood attacks ostensibly originating from 3 NL-based IP blocks: 88.208.0.0/18 , 5.11.80.0/21, and 78.140.128.0/18 ("ostensibly" because ... syn flood, and BCP 38 not yet fully adopted). Why is this syn flood different from all other syn floods? Well ... 1. Rate seems too slow to do any actual damage (is anybody really bothered by a few bad SYN packets per second per service, at this point?); but 2. IPs/port combinations with actual open services are being targeted (I'm seeing ports 22, 443, and 53, just at a glance, to specific IPs with those services running), implying somebody checked for open services first; 3. I'm seeing this in at least 2 locations, to addresses in different, completely unrelated ASes, implying it may be pretty widespread. Is anybody else seeing the same thing? Any thoughts on what's going on? Or should I just be ignoring this and getting on with the weekend? Jim
Current thread:
- Reflection DDoS last week (was: syn flood attacks from NL-based netblocks) Töma Gavrichenkov (Aug 21)
- Re: Reflection DDoS last week (was: syn flood attacks from NL-based netblocks) Damian Menscher via NANOG (Aug 21)
- Re: Reflection DDoS last week (was: syn flood attacks from NL-based netblocks) Töma Gavrichenkov (Aug 21)
- Re: Reflection DDoS last week (was: syn flood attacks from NL-based netblocks) Damian Menscher via NANOG (Aug 27)
- Re: Reflection DDoS last week Denys Fedoryshchenko (Aug 28)
- Re: Reflection DDoS last week (was: syn flood attacks from NL-based netblocks) Töma Gavrichenkov (Aug 21)
- Re: Reflection DDoS last week (was: syn flood attacks from NL-based netblocks) Damian Menscher via NANOG (Aug 21)
- Re: Reflection DDoS last week (was: syn flood attacks from NL-based netblocks) Amir Herzberg (Aug 21)
- Re: Reflection DDoS last week Denys Fedoryshchenko (Aug 24)