Syn flood to TCP port 21 from priveleged port (80)

Ken Chase math at
Tue Nov 1 19:29:09 UTC 2016

seeing an awful lot of port 80 hitting port 21. (Why would port 80
ever be used as source?). Also saw a buncha cpanel "FAILED: FTP" alerts flickering
on and off as the service throttled itself at a couple client sites I manage.

I see 540 unique source IPs hitting 32 destinations on my network in just 1000
packets dumped on one router. 

All from multiple sequential registered /24s in whois, but all from one
management company: and

role:           William Hill Network Services
abuse-mailbox:  networkservices at
address:        Infrastructure Services 2 City Walk Sweet Street Leeds LS11 9AR


course, synfloods can be spoofed... perhaps they're hoping for a retaliation
against WHNS.


On Tue, Nov 01, 2016 at 09:44:23PM +0300, Oleg A. Arkhangelsky said:
  >A couple of cuts from tcpdump output:
  >21:31:54.995170 IP > Flags [S], seq 1376379765, win 8192, length 0
  >21:31:55.231925 IP > Flags [S], seq 2254756684, win 8192, length 0
  >21:27:50.413927 IP > Flags [S], seq 3619475318, win 8192, length 0
  >21:27:50.477014 IP > Flags [S], seq 2412690982, win 8192, length 0
  >Does anyone seeing this right now (18:31 UTC)? I see this traffic
  >on at least two completely independent ISPs near Moscow. The
  >rate is about a few dozen PPS hitting all BGP-announced networks.
  >wbr, Oleg.
  >"Anarchy is about taking complete responsibility for yourself."
  >?? ?? ?? Alan Moore.

Ken Chase - math at Guelph Canada

More information about the NANOG mailing list