syn flood attacks from NL-based netblocks
nanog at shankland.org
Fri Aug 16 22:04:39 UTC 2019
I'm seeing slow-motion (a few per second, per IP/port pair) syn flood
attacks ostensibly originating from 3 NL-based IP blocks: 126.96.36.199/18
, 188.8.131.52/21, and 184.108.40.206/18 ("ostensibly" because ... syn flood,
and BCP 38 not yet fully adopted).
Why is this syn flood different from all other syn floods? Well ...
1. Rate seems too slow to do any actual damage (is anybody really
bothered by a few bad SYN packets per second per service, at this
2. IPs/port combinations with actual open services are being targeted
(I'm seeing ports 22, 443, and 53, just at a glance, to specific IPs
with those services running), implying somebody checked for open
3. I'm seeing this in at least 2 locations, to addresses in different,
completely unrelated ASes, implying it may be pretty widespread.
Is anybody else seeing the same thing? Any thoughts on what's going on?
Or should I just be ignoring this and getting on with the weekend?
More information about the NANOG