On 10/28/19 11:26 AM, Tom Bird wrote: > For a while now I've been seeing quite a lot of TCP sockets in the > SYN_RECV state on any machine offering public ipv4 services, which > should normally only happen if you can't route back to the source. > Was initially worried that I'd broken something, however have seen it > on boxes across a few providers now.
I'm seeing these too. Started on IMAPS/993 last week, seems to be on a whole range of TCP ports now. > I've got a couple of theories but none adequately explain it, anyone > know for sure? I'm thinking it might be some kind of reflection attack, though it's unclear there's amplification for this kind of SYN traffic. Keith
