Reflection DDoS last week (was: syn flood attacks from NL-based netblocks)
ximaera at gmail.com
Wed Aug 21 19:44:00 UTC 2019
Here's to confirm that the pattern reported before in NANOG was indeed a
reflection DDoS attack. On Sunday, it also hit our customer, here's the
tl;dr: basically that was a rather massive reflected SYN/ACK carpet bombing
against several datacenter prefixes (no particular target was identified).
On Sat, Aug 17, 2019, 1:06 AM Jim Shankland <nanog at shankland.org> wrote:
> I'm seeing slow-motion (a few per second, per IP/port pair) syn flood
> attacks ostensibly originating from 3 NL-based IP blocks: 220.127.116.11/18
> , 18.104.22.168/21, and 22.214.171.124/18 ("ostensibly" because ... syn flood,
> and BCP 38 not yet fully adopted).
> Why is this syn flood different from all other syn floods? Well ...
> 1. Rate seems too slow to do any actual damage (is anybody really
> bothered by a few bad SYN packets per second per service, at this
> point?); but
> 2. IPs/port combinations with actual open services are being targeted
> (I'm seeing ports 22, 443, and 53, just at a glance, to specific IPs
> with those services running), implying somebody checked for open
> services first;
> 3. I'm seeing this in at least 2 locations, to addresses in different,
> completely unrelated ASes, implying it may be pretty widespread.
> Is anybody else seeing the same thing? Any thoughts on what's going on?
> Or should I just be ignoring this and getting on with the weekend?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the NANOG