On 10/31/19 5:25 AM, Adam Priestley wrote: >> I've been seeing a similar pattern for weeks now. Continuous flows of >> inbound SYNs towards all of our publicly reachable TCP services, often from >> thousands of addresses within a single AS. It always comes in over the same >> transit provider. > > This morning it's coming in with random source addresses inside > 185.40.12.0/22 and 194.187.172.0/22 with seemingly randomised TTLs. > I'd be curious to know if anyone else is seeing the same?
See that too, I've long regarded 185.40... as toxic swampy neigbourhood IP address space, though it's hard know if they are real source or spoofed victim in this case. Keith
