On 2019-11-01 08:15+0000, Mike Zanker wrote:
I have three servers (one at BitFolk) with ports 80
and 443 open and I
don’t see any SYN flooding directed at me but all three servers seem
to be taking part in SYN flooding against others. This has been going
on for months and the traffic is low-level.
All three servers are sending SYN ACKs to addresses in 185.90.0.0/16
at the moment but it often changes.
The SYN ACK is a response to a SYN packet. This would signify that the
three machines are responding to SYN requests from 185.90.0.0/16. If no
ACK returns from the SYN ACK, then the initial SYN was probably spoofed.
There's an animation at this address that shows the event sequence:
<https://www.inetdaemon.com/tutorials/internet/tcp/3-way_handshake.shtml>
--
Best regards,
Ed
http://www.s5h.net/