[GLLUG] Getting hammered with connections to port 80

Tim Woodall t at woodall.me.uk
Sat Sep 29 17:54:31 UTC 2018 

On Sat, 29 Sep 2018, Alistair Mann via GLLUG wrote:

> On 29/09/18 11:31, Tim Woodall via GLLUG wrote:
>> Does anyone know what these guys are trying to do?
>> 
>> These are the connections to my webserver (port 80) in the last five
>> hours. Almost all of them did not actually make a get request.
> Did you just get a new IP address? Sometimes I see traffic intended for the 
> previous holder.
>
> That there is no GET brings Port Knocking to mind.
>
But it doesn't make sense that the same host would repeat this over and
over again. There's no RST so I assume this is deliberate. If it was a
ddos amplification then I'd expect to see a RST (unless, of course, the
DDoSed hosts are dropping these phantom SYN+ACK packets somewhere)

Is there a kernel setting to turn off sending followup SYN+ACK if
there's no ACK?

HTTP connections through my firewall per day
kern.log 102819 (This is skewed by the extra logging I did to look for replys)
kern.log.1 46072
kern.log.2.gz 44360
kern.log.3.gz 2739
kern.log.4.gz 102916
kern.log.5.gz 6669
kern.log.6.gz 5260
kern.log.7.gz 2474
kern.log.8.gz 4578
kern.log.9.gz 5149
kern.log.10.gz 4443
kern.log.11.gz 4667
kern.log.12.gz 4910
kern.log.13.gz 1243
kern.log.14.gz 1685

Todays highest offenders
    1106 45.61.249.94
    1340 103.49.209.40
    1869 103.37.233.28
    3081 149.56.154.194
    3630 35.201.183.114
    3964 149.56.154.193
    4013 167.114.41.149
    4339 167.114.41.150
    4521 149.56.180.254
    4874 167.114.41.148
    5118 149.56.154.195
    5148 149.56.180.255
    5653 149.56.154.192
    5738 149.56.180.253
    6290 149.56.180.252
    6594 192.168.100.100 <=This is outbound from my proxy and internal
from IoT devices trying to get to the web.
   12401 139.99.118.122
   16731 45.195.133.8

Yesterday
    3041 192.168.100.100
    7573 149.56.180.254
   33092 45.195.133.8

Day before:
    3089 192.168.100.100
   11347 139.99.118.122
   26056 139.99.118.123

kern.log.3.gz:
       8 198.11.173.103
(everything higher was internal or outbound!)

kern.log.4.gz:
    3047 192.168.100.100
   97015 23.225.141.70

And here is the highest count for each day:

kern.log        16731 45.195.133.8
kern.log.1      33092 45.195.133.8
kern.log.2.gz   26056 139.99.118.123
kern.log.3.gz    1421 192.168.100.100
kern.log.4.gz   97015 23.225.141.70
kern.log.5.gz    3025 192.168.100.100
kern.log.6.gz    2149 2001::INTERNAL
kern.log.7.gz    1326 2001::INTERNAL
kern.log.8.gz    3058 192.168.100.100
kern.log.9.gz    3025 192.168.100.100
kern.log.10.gz    3019 192.168.100.100
kern.log.11.gz    3016 192.168.100.100
kern.log.12.gz    3019 192.168.100.100
kern.log.13.gz     583 192.168.6.129
kern.log.14.gz     602 192.168.6.129

It appears to have started four days ago, somewhere in LA. And my IP
hasn't changed.

Tim.

More information about the GLLUG mailing list