[GLLUG] Getting hammered with connections to port 80

Tim Woodall t at woodall.me.uk
Sat Sep 29 11:06:51 UTC 2018


On Sat, 29 Sep 2018, John Winters via GLLUG wrote:

> On 29/09/18 11:31, Tim Woodall via GLLUG wrote:
>> Does anyone know what these guys are trying to do?
>
> DDoS attack?
>
That's what I wondered although it doesn't seem to be significantly
slowing down my connection. A sustained rate of 3-4 packets per second

If they are solely SYN packets (I'll check for the ACK later) then I
suppose it could be a forged source address attacking the host that will
get the SYN+ACK.

>> 
>> These are the connections to my webserver (port 80) in the last five
>> hours. Almost all of them did not actually make a get request.
>> 
> [snip]
>>       18 192.168.5.129
>>        2 192.168.6.129
>
> These are in private IP address ranges, so they can't possibly have been 
> expecting a response.  I'm surprised the packets even got routed to you.
>
Those are from internal devices and were genuine. If I'd spotted them
I'd have removed them before posting. (They're almost certainly an IoT
attempt to get past my firewall that gets diverted to my webserver)

> John
>
>



More information about the GLLUG mailing list