[nsp-sec] Reflection utilizing sinkhole
John Kristoff
jtk at cymru.com
Mon Jan 6 16:15:10 EST 2014
Friends,
We noticed an abnormal amount of SYN packets that appear to be coming
from various source ports at 37.187.195.49 specifically to our C
sinkhole address space (38.229.128.0/18). From a small sample, the IP
TTL varies, but it looks like these may be common attributes:
* TCP window 8192
* MSS of 1460
* Window scale of 8
* TCP Sack enabled
The web page at the source address claims it is under a DDoS. Anyone
else seeing this on their sinkholes?
John
More information about the nsp-security
mailing list