On 8/17/19 3:16 PM, Damian Menscher wrote:
On Fri, Aug 16, 2019 at 3:05 PM Jim Shankland <na...@shankland.org
<mailto:na...@shankland.org>> wrote:
I'm seeing slow-motion (a few per second, per IP/port pair) syn flood
attacks ostensibly originating from 3 NL-based IP blocks:
88.208.0.0/18 <http://88.208.0.0/18>
, 5.11.80.0/21 <http://5.11.80.0/21>, and 78.140.128.0/18
<http://78.140.128.0/18> ("ostensibly" because ... syn flood,
and BCP 38 not yet fully adopted).
Is anybody else seeing the same thing? Any thoughts on what's
going on?
Or should I just be ignoring this and getting on with the weekend?
This appears to be a TCP amplification attack. Similar to UDP
amplification (DNS, NTP, etc) you can get some amplification by
sending a SYN packet with a spoofed source, and watching your victims
receive multiple SYN-ACK retries. It's a fairly weak form of attack
(as the amplification factor is small), but if the victim's gear is
vulnerable to high packet rates it may be effective.
That thought crossed my mind, but it seems to me that the weak
amplification factor, plus the broadly distributed set of forged source
addresses (within the blocks cited above), would make the attack
ineffective -- the whole point of DDoS being to focus a broadly
distributed set of (illegitimately obtained) source resources on a
narrow set of destination targets. Attacking 2 /18 blocks plus a /21
block in parallel with a weak-amplification attack doesn't look like a
successful DDoS strategy to me.
Jim
The victim (or law enforcement) could identify the true source of the
attack by asking transit providers to check their netflow to see where
it enters their networks.
Damian