I still don't understand this SYN attack, but now I can block it easily
4 points
1 hour ago
| 3 comments
| boston.conman.org
| HN
rolph
40 minutes ago
[-]
just looks like a SYN flood with spoofed address.

attacker crafts packets with a forged return IP.

they SYN as many of your ports and IPs, you send SYN-ACK to the spoofed IP destination, the destination knows it didnt SYN you and refuses to ACK the connection.

long TTL keeps the connection open longer, and it builds up to a DDOS for you when your ports are all half open.

depending on the real owner of the spoofed IP, they might blacklist your IP for spraying them with syn-ack.

reply
spc476
17 minutes ago
[-]
Yes.

Yes.

No, it's always port 443. But yes, the destination doesn't ACK the connection.

No, the TTL just means it can make more hops; it doesn't mean the connection is kept open for longer.

No, the IP addresses are unique and rarely repeat.

reply
fennec-posix
1 hour ago
[-]
The destination IP has some high-value octets, almost wondering if it's a software bug in something out there:

Address: 66.252.224.242 01000010.11111100.11100000. 11110010

Maybe a long forgotten server with some ancient malware that keeps being moved around...

Mysterious

reply
spc476
48 minutes ago
[-]
The destination IP address is my server, the one being attacked. I don't see the significant of the high-value octets.
reply
fennec-posix
10 minutes ago
[-]
all good, probably just me seeing patterns.
reply
epc
1 hour ago
[-]
Is it just the classic (1996-1997 era?) SYN-ACK attack?
reply