On Sat, Aug 17, 2019, 4:59 AM Jim Shankland <na...@shankland.org> wrote:
> On 8/16/19 3:50 PM, Emille Blanc wrote: > Thanks for the various responses. The pattern I (and apparently quite a > few others) are seeing differs from an ordinary probe in that it is > repeated a few times per second (if somebody wants to know who has a > visible ssh server on port 22, and what version of sshd is running, they > don't have to hit it multiple times per second). It differs from a SYN > flood DoS attack in that its rate is too low to be effective. And it > differs from both a port probe and a SYN flood attack (or somebody > "learning how to use nmap") in that it is targeting a broad set of > destinations in parallel > Seen a similar pattern a few years ago. Discovered it's a couple of students basically developing mass scanning software for a bachelor's degree who forgot to turn the running code off production before the summer break. That's the white noise of the Internet. Unless it's hitting you multiple thousand times/s as opposed to multiple times/s, it's only a matter of unpaid curiosity to start figuring out the reason. I guess Amazon or microsoft dot com have quite a museum of that staff. -- Töma >
