<div dir="ltr">Damian, sure, that's what I meant - it's possible, but only _if_ Jim's machines actually respond with multiple SYN-ACK packets. Which I _think_ Jim probably would have noticed. Or maybe not ? <div><br></div><div>btw, some TCP amplifications can be quite severe, if anyone wants I can send the citation to a nice paper exploring this issue. </div><div><br></div><div>BR... <br clear="all"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>-- <div style="font-size:12.8px">Amir Herzberg<br></div><div style="font-size:12.8px">Comcast professor for security innovation</div><div style="font-size:12.8px">Dept. of Computer Science and Engineering, University of Connecticut</div><br class="gmail-Apple-interchange-newline"></div></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Aug 17, 2019 at 6:56 PM Damian Menscher <<a href="mailto:damian@google.com" target="_blank">damian@google.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr">On Sat, Aug 17, 2019 at 3:36 PM Amir Herzberg <<a href="mailto:amir.lists@gmail.com" target="_blank">amir.lists@gmail.com</a>> wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr">Hmm, I doubt this is the output of TCP amplification since Jim reported it as SYN spoofing, i.e., SYN packets, not SYN-ACK packets (as for typical TCP amplification). Unless the given _hosts_ respond with multiple SYN-ACKs in which case these may be experiments by an attacker to measure if these IP:ports could be abused as TCP amplifiers. </div></div></blockquote><div><br></div><div>Clarifying for those unfamiliar with this attack:</div><div> - Attacker is sending SYN packets spoofed "from" NL to Jim (and others)</div><div> - Jim (and others) have applications listening on those ports and respond with SYN-ACK packets to the victim in NL</div><div> - When the victim (NL) fails to complete the handshake (which they didn't initiate!) Jim (and others) sends another SYN-ACK</div><div><br></div><div>So they're not probing to see if Jim (and others) are abusable as TCP amplifiers... they've already determined they can be abused and are using those machines to conduct an actual attack against victims in NL.</div><div><br></div><div>Damian</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Aug 17, 2019 at 6:18 PM Damian Menscher via NANOG <<a href="mailto:nanog@nanog.org" target="_blank">nanog@nanog.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr">On Fri, Aug 16, 2019 at 3:05 PM Jim Shankland <<a href="mailto:nanog@shankland.org" target="_blank">nanog@shankland.org</a>> wrote:</div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
I'm seeing slow-motion (a few per second, per IP/port pair) syn flood <br>
attacks ostensibly originating from 3 NL-based IP blocks: <a href="http://88.208.0.0/18" rel="noreferrer" target="_blank">88.208.0.0/18</a> <br>
, <a href="http://5.11.80.0/21" rel="noreferrer" target="_blank">5.11.80.0/21</a>, and <a href="http://78.140.128.0/18" rel="noreferrer" target="_blank">78.140.128.0/18</a> ("ostensibly" because ... syn flood, <br>
and BCP 38 not yet fully adopted).<br><br>
Is anybody else seeing the same thing? Any thoughts on what's going on? <br>
Or should I just be ignoring this and getting on with the weekend?<br></blockquote><div><br></div><div>This appears to be a TCP amplification attack. Similar to UDP amplification (DNS, NTP, etc) you can get some amplification by sending a SYN packet with a spoofed source, and watching your victims receive multiple SYN-ACK retries. It's a fairly weak form of attack (as the amplification factor is small), but if the victim's gear is vulnerable to high packet rates it may be effective.<br><br></div><div>The victim (or law enforcement) could identify the true source of the attack by asking transit providers to check their netflow to see where it enters their networks.<br><br></div><div>Damian</div></div></div>
</blockquote></div></div>
</blockquote></div></div>
</blockquote></div>