syn flood attacks from NL-based netblocks
Troy Mursch
troy at wolvtech.com
Fri Aug 16 22:48:49 UTC 2019
The traffic "from" 88.208.0.0/18, 5.11.80.0/21, and 78.140.128.0/18 doesn't
match the packet signatures for Masscan, ZMap, or any other well-known
scanner. The traffic is likely spoofed.
__
*Troy Mursch*
@bad_packets
On Fri, Aug 16, 2019 at 3:28 PM Jared Smith <jms at vols.utk.edu> wrote:
> I would think Shodan/Zmap/pick your multi-IP-block-scanning-tool would
> portray similar behavior.
>
> Echoing Matt’s “probably shouldn’t worry” sentiment, this could just be
> someone running an incantation of such tools for research or recreational
> purposes.
>
> Best,
> Jared
> On Aug 16, 2019, 18:21 -0400, Matt Harris , wrote:
>
> On Fri, Aug 16, 2019 at 5:05 PM Jim Shankland <nanog at shankland.org> wrote:
>
> 1. Rate seems too slow to do any actual damage (is anybody really
> bothered by a few bad SYN packets per second per service, at this
> point?); but
>
>
> Common technique used by port scanners to evade detection as a DoS attack
> by fw/ids/etc.
>
> 2. IPs/port combinations with actual open services are being targeted
> (I'm seeing ports 22, 443, and 53, just at a glance, to specific IPs
> with those services running), implying somebody checked for open
> services first;
>
>
> Or they're just checking if certain common ports are open with the
> intention of later trying known exploits against those which are reachable
> in order to attempt to compromise the hosts. Build the DB of reachable
> hosts/ports now, come back with exploits later.
>
> 3. I'm seeing this in at least 2 locations, to addresses in different,
> completely unrelated ASes, implying it may be pretty widespread.
>
>
> Sounds like a relatively common pattern though.
>
> Is anybody else seeing the same thing? Any thoughts on what's going on?
> Or should I just be ignoring this and getting on with the weekend?
>
>
> I wouldn't worry too much about it unless you have reason to believe some
> of the likely-forthcoming exploits may actually work. Of course, if that's
> the case, you should fix them anyhow.
>
> Have a good weekend!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20190816/c452da5a/attachment.html>
More information about the NANOG
mailing list