Ask HN: Why is my web server being attacked?
I run a small Web server. It's a vanity project, very low traffic - less than 50 pages served per day. Strictly HTML - no CGI, no PHP, nothing. For the past couple of weeks the server has been the target of a SYN Flood attack. Also very low volume - 100-150 SYN packets (with forged IP addresses) received per hour. I have all the usual mitigations in place and the attack is not affecting the server. However, I am curious why it's being attacked. I have not received any "ransom" email, the server does not host anything that is even mildly controversial and the forged IP addresses are always different and from all over the world so I'm not being used to flood some other server. Can anyone suggest a purpose for this attack?
47 comments
[ 3.3 ms ] story [ 93.9 ms ] threadNICE TRY, MR. HACKERMAN
Lol. That's not an "attack."
Your server is publicy accessible over the internet. This means you are explicitly allowing other networks to connect to your server. This is par for the course; just always make sure to run the latest security patches and move on with life.
Take him to the infirmary. Toptunov, take him! He's delusional. Flood attack, forged IP addresses. He'll be fine. I've seen worse.
You didn't see forged IPs. You didn't. You didn't!!! Because it's not there!
That's just what the neighborhood ( the whole internet ) looks like from the sidewalk.
So, Set up a free Cloudflare account, move your DNS of record to them, and run traffic through Cloudflare to your server.
You might check your IP in an IP reputation database.
I eventually switched to a larger, more soulless ISP (also CGNAT) because we can’t have nice things on the internet any more.
Since the author is not actually experiencing any issues, they're just curious, there really isn't any need for this.
https://www.cloudflare.com/products/tunnel/
I haven’t had anything exposed to the Internet in a long while.
You setup only AAAA record and you are reachable from IPv4 as well as much as other cloudflare caching benefits that you get.
That's just kind of how it goes. Bots scan the web looking for holes to get in and cause trouble. They'll poke your stuff.
It could also be that your server—no doubt along with millions of others—is simply being used as a bouncer to shield the origin of a DDoS attack. Typically attackers want "amplification" (send a tiny packet with a spoofed source address, get a large response) but if their pipe is big enough they may be content with a level of indirection.
This: https://observablehq.com/@greynoise/noise-storms has some explanation but I'd be glad to elaborate more if needed.
You could try doing some research on the forged IPs and see who they are associated with. Also try pinging them, my guess is they are down or returning insane latencies.
Either way I wouldn't lose sleep, any server I've ever managed or owned always got weird little visits from the packet goblins from time to time, it is fun puzzling them out. Once is an accident, twice is a coincidence, three times is an enemy action.