[GLLUG] Getting hammered with connections to port 80
Tim Woodall
t at woodall.me.uk
Sun Sep 30 07:58:33 UTC 2018
On Sat, 29 Sep 2018, Tim Woodall via GLLUG wrote:
> On Sat, 29 Sep 2018, Tim Woodall via GLLUG wrote:
>
>> On Sat, 29 Sep 2018, Alistair Mann via GLLUG wrote:
>>
>>> On 29/09/18 11:31, Tim Woodall via GLLUG wrote:
>>>> Does anyone know what these guys are trying to do?
>>>>
>>>> These are the connections to my webserver (port 80) in the last five
>>>> hours. Almost all of them did not actually make a get request.
>>> Did you just get a new IP address? Sometimes I see traffic intended for
>>> the previous holder.
>>>
>>> That there is no GET brings Port Knocking to mind.
>>>
>> But it doesn't make sense that the same host would repeat this over and
>> over again. There's no RST so I assume this is deliberate. If it was a
>> ddos amplification then I'd expect to see a RST (unless, of course, the
>> DDoSed hosts are dropping these phantom SYN+ACK packets somewhere)
>>
>> Is there a kernel setting to turn off sending followup SYN+ACK if
>> there's no ACK?
>>
>
> Hurrah, I've managed to write some IPTABLES rules to block this stuff:
>
Don't know if it was these rules or they just got bored but about 5
hours after I installed these rules it tapered off and I haven't seen a
single one since 5am.
Tim.
More information about the GLLUG
mailing list