I still don't understand this SYN attack, but now I can't block it easily
I did not get the memo that Windows uses an IP (Internet Protocol) TTL (Time To Live) of 128.
On the one hand, I was able to avoid that weird SYN attack I've been under for six years, quite a bit of spam, and less bad web bot activity for the past 24 hours. On the other hand, any legitimate traffic to my web site from Windows users was lost. On the gripping hand, is anybody using Windows to read my site? I don't know, but it was worrisome enough for me to remove the filter.
In the time it took me to type netstat -an (which displays all the network connections on the server) right after removing the filter, I had over 100 IP addresses in the SYN_RECV state:
tcp 0 0 66.252.224.242:443 45.227.45.210:36527 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.64:36909 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.157:10968 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.69:52378 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.170:45186 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.83:28792 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.217:15376 SYN_RECV
tcp 0 0 66.252.224.242:443 100.53.53.5:45160 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.120:45659 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.133:16120 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.250:15675 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.232:47103 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.76:3458 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.133:31970 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.246:8948 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.160:24317 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.231:63452 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.152:28002 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.104:32878 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.247:40848 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.107:59699 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.243:61639 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.119:237 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.221:19952 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.82:44089 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.178:64103 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.243:36812 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.245:7855 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.74:10217 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.176:22833 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.112:40901 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.42:8195 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.53:27914 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.78:13638 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.140:4838 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.149:2145 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.210:23419 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.201:1951 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.82:53191 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.185:39474 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.134:23672 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.207:26302 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.57:17502 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.188:16945 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.164:58069 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.193:39283 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.117:35051 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.17:65005 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.43:2512 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.46:6447 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.185:35912 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.180:9989 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.88:55133 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.183:55030 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.61:54573 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.48:48487 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.57:17238 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.131:43127 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.90:61334 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.1:8217 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.85:27538 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.146:64006 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.240:44936 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.180:49849 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.85:40926 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.97:12475 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.212:27106 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.120:947 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.35:23887 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.240:11661 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.108:47817 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.218:31611 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.57:49775 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.54:63847 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.71:4231 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.136:49246 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.254:55247 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.206:24816 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.90:12459 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.20:42069 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.81:16082 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.71:14432 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.108:32404 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.135:39792 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.221:61593 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.125:28126 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.45:63681 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.192:29278 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.195:58573 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.220:6026 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.199:11577 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.246:3540 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.117:19364 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.120:32256 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.140:43804 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.177:42411 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.182:46776 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.213:11141 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.187:11828 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.198:5337 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.181:30734 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.142:20519 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.97:58468 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.192:11928 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.157:24941 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.101:36884 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.117:5093 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.112:22116 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.48:34003 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.45.139:32440 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.119:63040 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.128:36298 SYN_RECV
tcp 0 0 66.252.224.242:443 45.227.44.94:22124 SYN_RECV
Normally, I might see one or two such entries from netstat -an but not over 100. And as I've stated, this isn't enough to be an actual DoS (Denial of Service Attack) or even a DDoS (Distributed Denial of Service Attack), but it is enough to be annoying. I can block the attack easily enough but it's a game of whack-a-mole—I can block 45.227.44.0/23 but in a few days, this will return from yet another Brazilian network, like 168.195.0.0/23 from the other day. And that's what I don't get about this—what is the end game here? What are the operators from this attack hoping to gain? From the comments I've received, one other person has seen a similar attack [1] so at least I'm not alone in this. And I checked with some other customers at my hosting company and yes, they too are being hit with this attack.
The fact that this all stopped the second I filtered out IP packets with a TTL greater than 70 tells me this is from exploited Windows systems. Are they in fact actual Brazilian computers? Or Windows computers elsewhere forging IP addresses? Is this an SYN flood attack that might have worked 30 years ago but not on today's Internet?
I don't know.
All I do know is I wish I had a way to stop it. And what's the thought behind this attack?
Maybe it is indeed, worth adding the IP TTL filter back and just deal with no one using Windows being able to hit my site, just to avoid the crap traffic.
[1] https://news.ycombinator.com/item?id=46806561
Discussions about this entry
Lazy Reading for 2026/02/08 – DragonFly BSD Digest
Gemini Mention this post
Contact Sean Conner