The internet is no longer a safe haven

(brainbaking.com)

253 points akyuu | 1 comments | 16 Nov 25 13:12 UTC | HN request time: 0.202s | source

Show context

qwertox ◴[16 Nov 25 15:43 UTC] No.45945900[source]▶

Since I moved my DNS records to Cloudflare (that is: nameserver is now the one from Cloudflare), I get tons of odd connections, most notably SYN packets to eihter 443 or 22, which never respond back after the SYN-ACK. They ping me once a second in average, distributing the IPs over a /24 network.

I really don't understand why they do this, and it's mostly some shady origins, like vps game server hoster from Brazil and so on.

I'm at the point where i capture all the traffic and looks for SYN packets, check the RDAP records for them to decide if I then drop the entire subnets of that organization, whitelisting things like Google.

Digital Ocean is notoriously a source of bad traffic, they just don't care at all.

replies(3): >>45946146 #>>45946726 #>>45947542 #

sva_ ◴[16 Nov 25 17:23 UTC] No.45946726[source]▶

>>45945900 #

> like vps game server hoster from Brazil and so on.

Probably someone DDoSing a Minecraft server or something.

People in games do this where they DDoS each other. You can get access to a DDoS panel for as little as $5 a month.

Some providers allow for spoofing the src ip, that's how they do these reflection attacks. So you're not actually dropping the sender of these packets, but the victims.

Consider turning reverse path filter to strict as a basic anti spoofing method and see if it helps

    net.ipv4.conf.all.rp_filter = 1
    net.ipv4.conf.default.rp_filter = 1

replies(3): >>45946979 #>>45947027 #>>45955320 #

1. jcalvinowens ◴[17 Nov 25 16:45 UTC] No.45955320[source]▶

>>45946726 #

How does rp_filter on the server side help at all? For a cloud server with a single interface it literally does nothing. Maybe I'm misunderstanding your suggestion.

↑