Noticable uptick in fake tcp syn attacks
Seen a noticeable uptick in the last year r so of fake tcp syn packets, generally low rate level to avoid firewalls and using different source addresses in the same subnet to again avoid firewall rules. Used to come in at much higher rates and from single ip in subnet (stopped by firewall) but it appears over the last year or so they have become more sophisticated so as to avoid detection and blocking.
If that is happening to a large percentage of internet facing server out there then it ends up being a substantial dos attack on someone. I'd doubt the majority of owners of servers/websites etc even notice. Any port can be targeted but obviously standard port 25/80 seem to be favourite.
I now have a script that detects and blocks these attacks (by counting tcp syn packets from a single ip and by subnet) and blocking them for 24 hours when they pass a threshhold. Usually blocked within a minute or two. Obviously have to be careful not to block legit address so only counts ip addresses with more than 2 resends and has automated and manual white lists.
No doubt the game will change again as it always does.
Biting the hand that feeds IT
