[GLLUG] Getting hammered with connections to port 80

Tim Woodall t at woodall.me.uk
Sun Sep 30 07:58:33 UTC 2018


On Sat, 29 Sep 2018, Tim Woodall via GLLUG wrote:

> On Sat, 29 Sep 2018, Tim Woodall via GLLUG wrote:
>
>> On Sat, 29 Sep 2018, Alistair Mann via GLLUG wrote:
>> 
>>> On 29/09/18 11:31, Tim Woodall via GLLUG wrote:
>>>> Does anyone know what these guys are trying to do?
>>>> 
>>>> These are the connections to my webserver (port 80) in the last five
>>>> hours. Almost all of them did not actually make a get request.
>>> Did you just get a new IP address? Sometimes I see traffic intended for 
>>> the previous holder.
>>> 
>>> That there is no GET brings Port Knocking to mind.
>>> 
>> But it doesn't make sense that the same host would repeat this over and
>> over again. There's no RST so I assume this is deliberate. If it was a
>> ddos amplification then I'd expect to see a RST (unless, of course, the
>> DDoSed hosts are dropping these phantom SYN+ACK packets somewhere)
>> 
>> Is there a kernel setting to turn off sending followup SYN+ACK if
>> there's no ACK?
>> 
>
> Hurrah, I've managed to write some IPTABLES rules to block this stuff:
>

Don't know if it was these rules or they just got bored but about 5
hours after I installed these rules it tapered off and I haven't seen a
single one since 5am.

Tim.




More information about the GLLUG mailing list