Over the last few days, I've seen a server being flooded by packets from a small number of IP addresses with source port 22 and destination port either 25 or 80 (both ports are open to the public on said server). It looks like some kind of SYN flood attack, but the source port makes it look like some kind of reflection attack, targeting the (spoofed?) source address's SSH server. On the other hand, the packet size is 68, with the responses being 56 bytes big, so that makes it a really daft reflection attack. Any ideas what's going on here? |
Martijn 5 Posts |
Quote Subscribe |
Feb 16th 2016 3 years ago |
Every time I see someone asking this question (and I've asked it a few times myself), I never see an answer. Nobody in the world knows what this is or *might* be? |
Ron 29 Posts |
Quote |
Dec 24th 2016 2 years ago |
My guess is (hard to tell without seeing full packets) that they are looking for lazy/stateless firewall rules. A sysadmin may have just configured the firewall to allow port 22 inbound/outbound to allow the server to connect to other hosts via SSH, and by using ssh as a source port, the attacker hopes to take advantage of such a rule. This will not work in most modern firewalls if they are properly configured. |
Johannes 3698 Posts ISC Handler |
Quote |
Dec 26th 2016 2 years ago |
It's been more than 10 months and I don't have the packets any more (the attack, if that's what it was, has long stopped), but this explanation makes sense. Thanks. |
Martijn 5 Posts |
Quote |
Dec 26th 2016 2 years ago |
Sign Up for Free or Log In to start participating in the conversation!