I run a small Web server. It's a vanity project, very low traffic - less than 50 pages served per day. Strictly HTML - no CGI, no PHP, nothing. For the past couple of weeks the server has been the target of a SYN Flood attack. Also very low volume - 100-150 SYN packets (with forged IP addresses) received per hour. I have all the usual mitigations in place and the attack is not affecting the server. However, I am curious why it's being attacked. I have not received any "ransom" email, the server does not host anything that is even mildly controversial and the forged IP addresses are always different and from all over the world so I'm not being used to flood some other server. Can anyone suggest a purpose for this attack?
In my general experience, everything on the open web is being probed and attacked, all the time, always.<p>That's just kind of how it goes. Bots scan the web looking for holes to get in and cause trouble. They'll poke your stuff.
Adding to what has already been said-
New registrations are the food for probing.
You could have an IP on someone's naughty list from a previous user.
It's any other day on the internet.<p>That's just what the neighborhood ( the whole internet ) looks like from the sidewalk.<p>So,
Set up a free Cloudflare account, move your DNS of record to them, and run traffic through Cloudflare to your server.
While I agree with other commenters that 100/hour doesn't rise to the level of "attack," I'm also curious, because with a forged peer address these are certainly not probes—the true sender would not get a response either way. Unless, that is, the spoofed IPs are also controlled by the attacker. I wonder if you'd find any patterns (net range, ASN, geographical, residential, etc.) in an analysis.<p>It could also be that your server—no doubt along with millions of others—is simply being used as a bouncer to shield the origin of a DDoS attack. Typically attackers want "amplification" (send a tiny packet with a spoofed source address, get a large response) but if their pipe is big enough they may be content with a level of indirection.
My servers with no public records or associations with any services are being probed all the time. It’s one of the laws of the internet - if it has a public address, people will try to break into it.
These "noise storms" are becoming more common than in previous years and are generally tied to global "major" events.<p>This: <a href="https://observablehq.com/@greynoise/noise-storms" rel="nofollow">https://observablehq.com/@greynoise/noise-storms</a> has some explanation but I'd be glad to elaborate more if needed.
You are not being attacked. Those are probably some bots that are port scanning the whole Internet. I would barely ignore them and focusing on web server logs to find some strange requests.
Clear context is missing: what are you hosting, what webserver, who are you - person of interest?, what is your IP, hosted on a cloud service or too cheap vps? , what is your dns? And most important: what is behind your front door…
Sounds like an amplification attack, you are just in a rotation with a ton of other random hosts generating the traffic which is probably why the packet rate is low.<p>You could try doing some research on the forged IPs and see who they are associated with. Also try pinging them, my guess is they are down or returning insane latencies.<p>Either way I wouldn't lose sleep, any server I've ever managed or owned always got weird little visits from the packet goblins from time to time, it is fun puzzling them out. Once is an accident, twice is a coincidence, three times is an enemy action.
One hundred. Not great, not terrible.<p>Take him to the infirmary. Toptunov, take him! He's delusional. Flood attack, forged IP addresses. He'll be fine. I've seen worse.<p>You didn't see forged IPs. You didn't. You didn't!!! Because it's not there!
Some more information about the hosting would be useful. Is it being served from your residential IP or a cloud provider IP? How long have controlled this IP address for?
> 100-150 SYN packets (with forged IP addresses) received per hour.<p>Lol. That's not an "attack."<p>Your server is publicy accessible over the internet. This means you are explicitly allowing other networks to connect to your server. This is par for the course; just always make sure to run the latest security patches and move on with life.
Do you have a Taiwanese language endpoint? It's fair to assume that anything on the web is going to be attacked at some point, but in my experience it was traffic coming from some unknown country that must have had beef with Taiwan (China obvs) because as soon as I blocked traffic to that endpoint the problem went away. It was enabled by default, but we weren't doing anything special in terms of localization, so it was a reasonable action to take.