Reflection Attack-

mack mack at
Tue Nov 20 17:02:34 UTC 2007

I apologize if this is off topic.
Currently the IP is the victim of a reflection attack.

Many operators may be seeing what appears to be a syn attack generated by this IP.
These are actually spoofed packet hitting an open port designed to generate a syn-ack packet at the victim server.

This attack was originally a standard syn attack which has lasted since the 13th.
On Saturday the 17th we moved the victim server to a new ip behind a firewall.

Yesterday, Monday the 19th at approximately 3PM the attack changed to a reflection attack of greatly increased magnitude.  We have rate limited syn-ack packets hitting the firewall to reduce backscatter of reset packets.

Anyone seeing a stream of packets that appears to be improperly sourced from is asked to contact us if they believe they can help us track back the perpetrators.

Any assistance that can be rendered is appreciated.  This includes direction to another forum that may be able to offer assistance.

As there are approximately 102,000 reflectors being used please do not contact us unless you can help us trace this back or provide substantial assistance.  We are currently overwhelmed by abuse complaints this has generated.

The attack has now doubled in size and may be considerably more than 102k reflectors.

LR Mack McBride
Network Administrator
Alpha Red, Inc.

More information about the NANOG mailing list