syn flood attacks from NL-based netblocks

• Previous message (by thread): syn flood attacks from NL-based netblocks
• Next message (by thread): syn flood attacks from NL-based netblocks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 8/16/19 3:50 PM, Emille Blanc wrote:
> Have been seeing these at $DAYJOB off and on for the past week.
> First logged events began for on 2019-08-04, at approx 1500hrs PST.
>
> Impact for us has been negligible, but some older ASA's were having trouble with the scan volume and their configured log levels which has since been remedied.

Thanks for the various responses. The pattern I (and apparently quite a 
few others) are seeing differs from an ordinary probe in that it is 
repeated a few times per second (if somebody wants to know who has a 
visible ssh server on port 22, and what version of sshd is running, they 
don't have to hit it multiple times per second). It differs from a SYN 
flood DoS attack in that its rate is too low to be effective. And it 
differs from both a port probe and a SYN flood attack (or somebody 
"learning how to use nmap") in that it is targeting a broad set of 
destinations in parallel; if source addresses are forged, they are from 
a fairly narrow set of source IPs.

The atypical pattern seems noteworthy in itself. Not a crisis, but not 
quite routine, either.

Jim

• Previous message (by thread): syn flood attacks from NL-based netblocks
• Next message (by thread): syn flood attacks from NL-based netblocks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]