[Gllug] Under attack from Russia
Alain Williams
addw at phcomp.co.uk
Thu Aug 27 08:05:28 UTC 2009
On Thu, Aug 27, 2009 at 01:34:25AM +0100, Robert McKay wrote:
> It's probably that your SYNACKs (replies to the SYN) were also being used as
> a flood against 193.169.4.0/23 - although it's not an amplification attack
> it makes it very hard for them to track the original source of the flood.
<Pedant>
It amplifies by a factor of 5. My machine will send 5 SYN_ACK packets having received one SYN.
Agreed it is not a large amplification.
</Pedant>
> I certainly have no idea who's doing this or why, but 193.169.4.0/23 are the
> victims here not the aggressors.
Curious. I suppose this also gives 193.169.4.0/23 a 'bad name', gets them into
firewall block lists, ... I still wonder why.
The attack stopped at 06:16:04, suddenly.
--
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256 http://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php
Past chairman of UKUUG: http://www.ukuug.org/
#include <std_disclaimer.h>
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list