Ask HN: Why is my web server being attacked?

38 points by litoE ↗ HN
I run a small Web server. It's a vanity project, very low traffic - less than 50 pages served per day. Strictly HTML - no CGI, no PHP, nothing. For the past couple of weeks the server has been the target of a SYN Flood attack. Also very low volume - 100-150 SYN packets (with forged IP addresses) received per hour. I have all the usual mitigations in place and the attack is not affecting the server. However, I am curious why it's being attacked. I have not received any "ransom" email, the server does not host anything that is even mildly controversial and the forged IP addresses are always different and from all over the world so I'm not being used to flood some other server. Can anyone suggest a purpose for this attack?

47 comments

[ 3.3 ms ] story [ 93.9 ms ] thread
Testing your defenses?
Clear context is missing: what are you hosting, what webserver, who are you - person of interest?, what is your IP, hosted on a cloud service or too cheap vps? , what is your dns? And most important: what is behind your front door…
> what is your IP

NICE TRY, MR. HACKERMAN

Probably because the attackers can. Sometimes people don't need a deep reason for doing anything. They just want to watch bits of the web burn.
> 100-150 SYN packets (with forged IP addresses) received per hour.

Lol. That's not an "attack."

Your server is publicy accessible over the internet. This means you are explicitly allowing other networks to connect to your server. This is par for the course; just always make sure to run the latest security patches and move on with life.

I don't think I'd consider 100 SYN packets per hour to be an attempted SYN flood attack
Ah, I see you have the machine that goes ‘ping’!
One hundred. Not great, not terrible.

Take him to the infirmary. Toptunov, take him! He's delusional. Flood attack, forged IP addresses. He'll be fine. I've seen worse.

You didn't see forged IPs. You didn't. You didn't!!! Because it's not there!

(comment deleted)
I've been reading Hacker News for over 12 years now and this is my first comment and I wanted to make it a reply to your post because I'm in stitches.
The meter max reading is 100. It's not 100. It's 15,000. :)
Adding to what has already been said- New registrations are the food for probing. You could have an IP on someone's naughty list from a previous user. It's any other day on the internet.

That's just what the neighborhood ( the whole internet ) looks like from the sidewalk.

So, Set up a free Cloudflare account, move your DNS of record to them, and run traffic through Cloudflare to your server.

Please don't do this, find another way. Almost 1/2 the internet is inaccessible to me at this point because at some point CF decided that I was a bad actor and now I can't get to anything.
Have you tried changing the web browser or VPN?
Enabled cookies? Checked your TCP/IP settings?
I used to have similar problems (and also hell bans at random web sites) because I had a small ISP that uses CGNAT. Somewhere in my zip code, there was probably an infected windows box or something.

You might check your IP in an IP reputation database.

I eventually switched to a larger, more soulless ISP (also CGNAT) because we can’t have nice things on the internet any more.

(comment deleted)
> So, Set up a free Cloudflare account, move your DNS of record to them, and run traffic through Cloudflare to your server.

Since the author is not actually experiencing any issues, they're just curious, there really isn't any need for this.

I recommend this method for self-hosting too. I have gigabit Internet and cloudflare proxying unlocks the ability to host locally without exposing my home IP. Plus all the advantages of DDoS mitigation.
Cloudflare won't protect your IP being hit directly. If your IP can be accessed publicly, it will get hit. period. You could use nginx etc to do a 444 status code but can't stop these scripts/bots from hitting ur IP completely.
Normally you'd just configure the firewall to drop all packets not from Cloudflare. Maybe also get a new static IP first.
Is there a different set of IPs for Warp? That would have to be denied too.
Yes and no. If you have an iptables rule that drop anything not coming from CF IPs, the attacking packets are not passed to the application and dropped in kernel mode. Otherwise the packet will be passed to user mode application that consume more resources to analyse and drop the connection.
(comment deleted)
If you set up Cloudflare Tunnel, you don't even need to be set up to accept any incoming connections. With Access, you can even run SSH through that tunnel. You can then setup your firewall to drop any incoming packets for non-established connections, closing a significant hole for DoS attacks and such.
Tailscale is also a great alternative
I mean for the author's case you could go all the way and use CF Pages
Pro Tip - if you can get cheap IPv6 host cloudflare proxy will work for you as well for IPv4 as they will handle it.

You setup only AAAA record and you are reachable from IPv4 as well as much as other cloudflare caching benefits that you get.

that is terrible advice for the internet as a whole. cloudflare is too ubiquitous already which comes with a lot of potential danger. In other words: if you can afford not to use cloudflare, please don't.
In my general experience, everything on the open web is being probed and attacked, all the time, always.

That's just kind of how it goes. Bots scan the web looking for holes to get in and cause trouble. They'll poke your stuff.

That's the answer for sure: because it's connected to the internet.
I also face the same and I have set policy to ban such traffic by IP. Qq: How do you know the IP is forged?
anyone know of a ebpf tool that can temporary block ips if it starts sending too many syn packets?
You are not being attacked. Those are probably some bots that are port scanning the whole Internet. I would barely ignore them and focusing on web server logs to find some strange requests.
While I agree with other commenters that 100/hour doesn't rise to the level of "attack," I'm also curious, because with a forged peer address these are certainly not probes—the true sender would not get a response either way. Unless, that is, the spoofed IPs are also controlled by the attacker. I wonder if you'd find any patterns (net range, ASN, geographical, residential, etc.) in an analysis.

It could also be that your server—no doubt along with millions of others—is simply being used as a bouncer to shield the origin of a DDoS attack. Typically attackers want "amplification" (send a tiny packet with a spoofed source address, get a large response) but if their pipe is big enough they may be content with a level of indirection.

Do you have a Taiwanese language endpoint? It's fair to assume that anything on the web is going to be attacked at some point, but in my experience it was traffic coming from some unknown country that must have had beef with Taiwan (China obvs) because as soon as I blocked traffic to that endpoint the problem went away. It was enabled by default, but we weren't doing anything special in terms of localization, so it was a reasonable action to take.
My servers with no public records or associations with any services are being probed all the time. It’s one of the laws of the internet - if it has a public address, people will try to break into it.
Some more information about the hosting would be useful. Is it being served from your residential IP or a cloud provider IP? How long have controlled this IP address for?
Every open IPv4 port on the internet gets attacked.
For us attacks always go up massively during the holidays for some reason.
Sounds like an amplification attack, you are just in a rotation with a ton of other random hosts generating the traffic which is probably why the packet rate is low.

You could try doing some research on the forged IPs and see who they are associated with. Also try pinging them, my guess is they are down or returning insane latencies.

Either way I wouldn't lose sleep, any server I've ever managed or owned always got weird little visits from the packet goblins from time to time, it is fun puzzling them out. Once is an accident, twice is a coincidence, three times is an enemy action.