* * * * *

                     I don't quite understand this attack

Blocking ssh login attempts is working [1], but I have noticed another odd
thing—the large number of TCP (Transmission Control Protocol) connections in
the SYN_RECV state. This is indicitive of a SYN flood [2], but what's weird
is that it's not from any one source, but scores of sources. And it's not
enough to actually bring down my server.

I spent a few hours playing “whack-a-mole” with the attacks, blocking large
address spaces from connection to my server, only to have the attack die down
for about five minutes then kick back up from a score of different blocks.
The only thing in common is that all the blocks seem to be from Europe.

And this is what I don't understand about this attack. It's not large enough
to bring down my server (although I have SYN cookies [3] enabled and that
might be keeping this at bay) and it's from all over European IP (Internet
Protocol ) space. I don't get who's getting attacked here. It could easily be
spoofed packets being sent, but what's the goal here?

It's all very weird.

[1] gopher://gopher.conman.org/0Phlog:2020/04/02.1
[2] https://en.wikipedia.org/wiki/SYN_flood
[3] https://en.wikipedia.org/wiki/SYN_cookies

Email author at [email protected]

You are viewing proxied material from gopher.conman.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.