Blocking ssh login attempts is working [1], but I have noticed another odd thing—the large number of TCP (Transmission Control Protocol) connections in the SYN_RECV state. This is indicitive of a SYN flood [2], but what's weird is that it's not from any one source, but scores of sources. And it's not enough to actually bring down my server.
I spent a few hours playing “whack-a-mole” with the attacks, blocking large address spaces from connection to my server, only to have the attack die down for about five minutes then kick back up from a score of different blocks. The only thing in common is that all the blocks seem to be from Europe.
And this is what I don't understand about this attack. It's not large enough to bring down my server (although I have SYN cookies [3] enabled and that might be keeping this at bay) and it's from all over European IP (Internet Protocol ) space. I don't get who's getting attacked here. It could easily be spoofed packets being sent, but what's the goal here?
It's all very weird.
[2] https://en.wikipedia.org/wiki/SYN_flood