Reflection DDoS last week (was: syn flood attacks from NL-based netblocks)

Amir Herzberg amir.lists at
Thu Aug 22 01:45:54 UTC 2019

Töma, thanks for this interesting update. The best defense against this
type of DDoS attacks seems idd to be relaying to
sufficiently-large-bandwidth cloud/CDN, and filtering TCP traffic (received
not from the relay). Such relaying should be done well - smart attacks may
still be possible for `naive' relaying.

On Wed, Aug 21, 2019 at 3:46 PM Töma Gavrichenkov <ximaera at> wrote:

> Peace,
> Here's to confirm that the pattern reported before in NANOG was indeed a
> reflection DDoS attack. On Sunday, it also hit our customer, here's the
> report:
> tl;dr: basically that was a rather massive reflected SYN/ACK carpet
> bombing against several datacenter prefixes (no particular target was
> identified).
> --
> Töma
> On Sat, Aug 17, 2019, 1:06 AM Jim Shankland <nanog at> wrote:
>> Greetings,
>> I'm seeing slow-motion (a few per second, per IP/port pair) syn flood
>> attacks ostensibly originating from 3 NL-based IP blocks:
>> ,, and ("ostensibly" because ... syn flood,
>> and BCP 38 not yet fully adopted).
>> Why is this syn flood different from all other syn floods? Well ...
>> 1. Rate seems too slow to do any actual damage (is anybody really
>> bothered by a few bad SYN packets per second per service, at this
>> point?); but
>> 2. IPs/port combinations with actual open services are being targeted
>> (I'm seeing ports 22, 443, and 53, just at a glance, to specific IPs
>> with those services running), implying somebody checked for open
>> services first;
>> 3. I'm seeing this in at least 2 locations, to addresses in different,
>> completely unrelated ASes, implying it may be pretty widespread.
>> Is anybody else seeing the same thing? Any thoughts on what's going on?
>> Or should I just be ignoring this and getting on with the weekend?
>> Jim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the NANOG mailing list