I still don't understand this SYN attack, but now I can block it easily(boston.conman.org)
4 pointsby todsacerdoti4 hours ago3 comments
  • rolph3 hours ago
    just looks like a SYN flood with spoofed address.

    attacker crafts packets with a forged return IP.

    they SYN as many of your ports and IPs, you send SYN-ACK to the spoofed IP destination, the destination knows it didnt SYN you and refuses to ACK the connection.

    long TTL keeps the connection open longer, and it builds up to a DDOS for you when your ports are all half open.

    depending on the real owner of the spoofed IP, they might blacklist your IP for spraying them with syn-ack.

    • spc4763 hours ago
      Yes.

      Yes.

      No, it's always port 443. But yes, the destination doesn't ACK the connection.

      No, the TTL just means it can make more hops; it doesn't mean the connection is kept open for longer.

      No, the IP addresses are unique and rarely repeat.

  • fennec-posix4 hours ago
    The destination IP has some high-value octets, almost wondering if it's a software bug in something out there:

    Address: 66.252.224.242 01000010.11111100.11100000. 11110010

    Maybe a long forgotten server with some ancient malware that keeps being moved around...

    Mysterious

    • spc4763 hours ago
      The destination IP address is my server, the one being attacked. I don't see the significant of the high-value octets.
      • fennec-posix2 hours ago
        all good, probably just me seeing patterns.
  • epc4 hours ago
    Is it just the classic (1996-1997 era?) SYN-ACK attack?