Interesting coinciding with an increased volume of phishing attacks. Sent from my iPhone
> On 28 Oct 2019, at 17:28, Keith Mitchell <[email protected]> wrote: > > On 10/28/19 11:26 AM, Tom Bird wrote: > >> For a while now I've been seeing quite a lot of TCP sockets in the >> SYN_RECV state on any machine offering public ipv4 services, which >> should normally only happen if you can't route back to the source. >> Was initially worried that I'd broken something, however have seen it >> on boxes across a few providers now. > > I'm seeing these too. Started on IMAPS/993 last week, seems to be on a > whole range of TCP ports now. > >> I've got a couple of theories but none adequately explain it, anyone >> know for sure? > > I'm thinking it might be some kind of reflection attack, though it's > unclear there's amplification for this kind of SYN traffic. > > Keith > >
