Just posting this here for my own benefit. Off and on since about 12/12/06 I have been seeing SYN floods (nothing huge, just a trickle) coming into my web servers on port 80 tcp and apparently coming from systems at softkit.ro and evolvatelecom.net (both European). I’ve not thought much of them as they are not huge and I’ve had other things I’ve been busy on, but this afternoon I did a check. I found this on the mynightwatchman.com site:
We are aware of this problem, but it is not originating from our network. As of last month we are the target of a DRDOS attack coming from the internet. From what we’ve gathered the attacker is sending source-IP spoofed SYN packets to a very large number of web servers (including yours – directed at port 80 only), the result being those servers flooding us with SYN+ACK packets afterwards.
We’d love any help from you on this matter, given that you have extensive logs on your affected servers.
Something of interest would be that we are not receiving any RST packets so this lead us to believe the attacker is probing the ports on the machines he’s using subsequently and not sending the packets blindly at random IPs.
As you can imagine, this is very disturbing for us too, but we have found absolutely no way and no support in catching this attacker. We would appreciate any support…
That pretty much sucks.