[GLLUG] Getting hammered with connections to port 80

Tim Woodall t at woodall.me.uk
Sat Sep 29 11:48:28 UTC 2018 

On Sat, 29 Sep 2018, Tim Woodall via GLLUG wrote:

> On Sat, 29 Sep 2018, John Winters via GLLUG wrote:
>
>> On 29/09/18 11:31, Tim Woodall via GLLUG wrote:
>>> Does anyone know what these guys are trying to do?
>> 
>> DDoS attack?
>> 
> That's what I wondered although it doesn't seem to be significantly
> slowing down my connection. A sustained rate of 3-4 packets per second
>
> If they are solely SYN packets (I'll check for the ACK later) then I
> suppose it could be a forged source address attacking the host that will
> get the SYN+ACK.
>
OK, the SYN+ACK is going out and then there's absolutely nothing coming
back.

Sep 29 12:29:53 heisenberg vmunix: [244114.686081] manglelogall pre
IN=isp OUT= MAC= SRC=149.56.180.253 DST=xxxxxxxxxxxxxx LEN=48 TOS=0x00
PREC=0x00 TTL=120 ID=48756 DF PROTO=TCP SPT=33239 DPT=80 WINDOW=8192
RES=0x00 SYN URGP=0

Sep 29 12:29:53 heisenberg vmunix: [244114.686882] manglelogall pre
IN=eth0 OUT= MAC=00:50:b6:17:7e:28:00:16:3e:e0:71:00:08:00
SRC=192.168.100.100 DST=149.56.180.253 LEN=48 TOS=0x00 PREC=0x00 TTL=64
ID=0 DF PROTO=TCP SPT=80 DPT=33239 WINDOW=29200 RES=0x00 ACK SYN URGP=0 
Sep 29 12:29:54 heisenberg vmunix: [244115.707024] manglelogall pre
IN=eth0 OUT= MAC=00:50:b6:17:7e:28:00:16:3e:e0:71:00:08:00
SRC=192.168.100.100 DST=149.56.180.253 LEN=48 TOS=0x00 PREC=0x00 TTL=64
ID=0 DF PROTO=TCP SPT=80 DPT=33239 WINDOW=29200 RES=0x00 ACK SYN URGP=0 
Sep 29 12:29:56 heisenberg vmunix: [244117.723257] manglelogall pre
IN=eth0 OUT= MAC=00:50:b6:17:7e:28:00:16:3e:e0:71:00:08:00
SRC=192.168.100.100 DST=149.56.180.253 LEN=48 TOS=0x00 PREC=0x00 TTL=64
ID=0 DF PROTO=TCP SPT=80 DPT=33239 WINDOW=29200 RES=0x00 ACK SYN URGP=0 
Sep 29 12:30:00 heisenberg vmunix: [244121.979178] manglelogall pre
IN=eth0 OUT= MAC=00:50:b6:17:7e:28:00:16:3e:e0:71:00:08:00
SRC=192.168.100.100 DST=149.56.180.253 LEN=48 TOS=0x00 PREC=0x00 TTL=64
ID=0 DF PROTO=TCP SPT=80 DPT=33239 WINDOW=29200 RES=0x00 ACK SYN URGP=0 
Sep 29 12:30:09 heisenberg vmunix: [244130.171485] manglelogall pre
IN=eth0 OUT= MAC=00:50:b6:17:7e:28:00:16:3e:e0:71:00:08:00
SRC=192.168.100.100 DST=149.56.180.253 LEN=48 TOS=0x00 PREC=0x00 TTL=64
ID=0 DF PROTO=TCP SPT=80 DPT=33239 WINDOW=29200 RES=0x00 ACK SYN URGP=0 
Sep 29 12:30:25 heisenberg vmunix: [244146.300451] manglelogall pre
IN=eth0 OUT= MAC=00:50:b6:17:7e:28:00:16:3e:e0:71:00:08:00
SRC=192.168.100.100 DST=149.56.180.253 LEN=48 TOS=0x00 PREC=0x00 TTL=64
ID=0 DF PROTO=TCP SPT=80 DPT=33239 WINDOW=29200 RES=0x00 ACK SYN URGP=0

That's six packets out for one packet in. :-(

Tim.

More information about the GLLUG mailing list