The internet is no longer a safe haven

(brainbaking.com)

253 points akyuu | 2 comments | 16 Nov 25 13:12 UTC | HN request time: 0.393s | source

Show context

qwertox ◴[16 Nov 25 15:43 UTC] No.45945900[source]▶

Since I moved my DNS records to Cloudflare (that is: nameserver is now the one from Cloudflare), I get tons of odd connections, most notably SYN packets to eihter 443 or 22, which never respond back after the SYN-ACK. They ping me once a second in average, distributing the IPs over a /24 network.

I really don't understand why they do this, and it's mostly some shady origins, like vps game server hoster from Brazil and so on.

I'm at the point where i capture all the traffic and looks for SYN packets, check the RDAP records for them to decide if I then drop the entire subnets of that organization, whitelisting things like Google.

Digital Ocean is notoriously a source of bad traffic, they just don't care at all.

replies(3): >>45946146 #>>45946726 #>>45947542 #

1. kzemek ◴[16 Nov 25 16:13 UTC] No.45946146[source]▶

>>45945900 #

These are spoofed packets for SYNACK reflection attacks. Your response traffic goes to the victim, and since network stacks are usually configured to retry SYNACK a few times, they also get amplification out of it

replies(1): >>45949976 #

2. pabs3 ◴[17 Nov 25 01:01 UTC] No.45949976[source]▶

>>45946146 (TP) #

There is a solution to that, but it requires these companies to implement source address validation. If your ISP is on the list, maybe complain about it.

https://spoofer.caida.org/as_stats.php

↑