Re: [uknof] SYN_RECV
On 10/31/19 5:25 AM, Adam Priestley wrote: >> I've been seeing a similar pattern for weeks now. Continuous flows of >> inbound SYNs towards all of our publicly reachable TCP services, often from >> thousands of addresses within a single AS. It always comes in over the same >> transit provider. > > This morning it's coming in with random source addresses inside > 185.40.12.0/22 and 194.187.172.0/22 with seemingly randomised TTLs. > I'd be curious to know if anyone else is seeing the same? See that too, I've long regarded 185.40... as toxic swampy neigbourhood IP address space, though it's hard know if they are real source or spoofed victim in this case. Keith
Re: [uknof] SYN_RECV
On Wed, 30 Oct 2019 at 09:30, Adam Priestley wrote: > It's a low level of amplification, but for each SYN received you'll typically > send back several SYN/ACKs. There's a thread about it on nanog: > https://mailman.nanog.org/pipermail/nanog/2019-August/102713.html > I've been seeing a similar pattern for weeks now. Continuous flows of inbound > SYNs towards all of our publicly reachable TCP services, often from thousands > of addresses within a single AS. It always comes in over the same transit > provider. This morning it's coming in with random source addresses inside 185.40.12.0/22 and 194.187.172.0/22 with seemingly randomised TTLs. I'd be curious to know if anyone else is seeing the same?