Hi,
Same happened in Lebanon(country). Similar pattern: carpet bombing for
multiple prefixes of specific ASN.
I suspect it is a new trend in DDoS-for-hire, and ISP who did not
install data scrubbing appliances will feel severe pain from such
attacks, since they use SYN + ACK from legit servers.
On 2019-08-21 22:44, Töma Gavrichenkov wrote:
Peace,
Here's to confirm that the pattern reported before in NANOG was indeed
a reflection DDoS attack. On Sunday, it also hit our customer, here's
the report:
https://www.prnewswire.com/news-releases/root-cause-analysis-and-incident-report-on-the-august-ddos-attack-300905405.html
tl;dr: basically that was a rather massive reflected SYN/ACK carpet
bombing against several datacenter prefixes (no particular target was
identified).
--
Töma
On Sat, Aug 17, 2019, 1:06 AM Jim Shankland <na...@shankland.org>
wrote:
Greetings,
I'm seeing slow-motion (a few per second, per IP/port pair) syn
flood
attacks ostensibly originating from 3 NL-based IP blocks:
88.208.0.0/18 [1]
, 5.11.80.0/21 [2], and 78.140.128.0/18 [3] ("ostensibly" because
... syn flood,
and BCP 38 not yet fully adopted).
Why is this syn flood different from all other syn floods? Well ...
1. Rate seems too slow to do any actual damage (is anybody really
bothered by a few bad SYN packets per second per service, at this
point?); but
2. IPs/port combinations with actual open services are being
targeted
(I'm seeing ports 22, 443, and 53, just at a glance, to specific IPs
with those services running), implying somebody checked for open
services first;
3. I'm seeing this in at least 2 locations, to addresses in
different,
completely unrelated ASes, implying it may be pretty widespread.
Is anybody else seeing the same thing? Any thoughts on what's going
on?
Or should I just be ignoring this and getting on with the weekend?
Jim
Links:
------
[1] http://88.208.0.0/18
[2] http://5.11.80.0/21
[3] http://78.140.128.0/18