Re: syn flood attacks from NL-based netblocks

2019-08-17 Thread Mike
On 8/16/19 3:04 PM, Jim Shankland wrote: > Greetings, > > I'm seeing slow-motion (a few per second, per IP/port pair) syn flood > attacks ostensibly originating from 3 NL-based IP blocks: > 88.208.0.0/18 , 5.11.80.0/21, and 78.140.128.0/18 ("ostensibly" > because ... syn flood, and BCP 38 not yet f

Re: syn flood attacks from NL-based netblocks

2019-08-17 Thread Jim Shankland
On 8/17/19 3:16 PM, Damian Menscher wrote: On Fri, Aug 16, 2019 at 3:05 PM Jim Shankland > wrote: I'm seeing slow-motion (a few per second, per IP/port pair) syn flood attacks ostensibly originating from 3 NL-based IP blocks: 88.208.0.0/18

Re: syn flood attacks from NL-based netblocks

2019-08-17 Thread Amir Herzberg
Damian, sure, that's what I meant - it's possible, but only _if_ Jim's machines actually respond with multiple SYN-ACK packets. Which I _think_ Jim probably would have noticed. Or maybe not ? btw, some TCP amplifications can be quite severe, if anyone wants I can send the citation to a nice paper

Re: syn flood attacks from NL-based netblocks

2019-08-17 Thread Damian Menscher via NANOG
On Sat, Aug 17, 2019 at 3:36 PM Amir Herzberg wrote: > Hmm, I doubt this is the output of TCP amplification since Jim reported it > as SYN spoofing, i.e., SYN packets, not SYN-ACK packets (as for typical TCP > amplification). Unless the given _hosts_ respond with multiple SYN-ACKs in > which case

Re: syn flood attacks from NL-based netblocks

2019-08-17 Thread Amir Herzberg
Hmm, I doubt this is the output of TCP amplification since Jim reported it as SYN spoofing, i.e., SYN packets, not SYN-ACK packets (as for typical TCP amplification). Unless the given _hosts_ respond with multiple SYN-ACKs in which case these may be experiments by an attacker to measure if these IP

Re: syn flood attacks from NL-based netblocks

2019-08-17 Thread Damian Menscher via NANOG
On Fri, Aug 16, 2019 at 3:05 PM Jim Shankland wrote: > I'm seeing slow-motion (a few per second, per IP/port pair) syn flood > attacks ostensibly originating from 3 NL-based IP blocks: 88.208.0.0/18 > , 5.11.80.0/21, and 78.140.128.0/18 ("ostensibly" because ... syn flood, > and BCP 38 not yet fu

Re: syn flood attacks from NL-based netblocks

2019-08-17 Thread Töma Gavrichenkov
On Sat, Aug 17, 2019, 4:59 AM Jim Shankland wrote: > On 8/16/19 3:50 PM, Emille Blanc wrote: > Thanks for the various responses. The pattern I (and apparently quite a > few others) are seeing differs from an ordinary probe in that it is > repeated a few times per second (if somebody wants to know