My friend Mark [1] wrote back about the SYN attack [2] to mention that he's also seeing the same attack on his servers. It's not enough to bring anything down, but it's enough to be an annoyance. He's also concerned that it might be a bit of a “dry run” for something larger.
A bit later he sent along a link to the paper “TCP (Transmission Control Protocol) SYN Cookie Vulnerability [3]” which describes a possible motive for the attack:
TCP SYN Cookies were implemented to mitigate against DoS (Denial of Service) attacks. It ensured that the server did not have to store any information for half-open connections. A SYN cookie contains all information required by the server to know the request is valid. However, the usage of these cookies introduces a vulnerability that allows an attacker to guess the initial sequence number and use that to spoof a connection or plant false logs.
“TCP SYN Cookie Vulnerability [4]”
The “spoofing of a connection” is amusing, as I don't have any private files worth downloading and spoofing a connection to an email server just nets me what? More spam? I already deal with spam as it is. And the same for the logs—I just don't have anything that requires legally auditable logs. I guess it's similar for most spam—it pretty must costs the same if you attempt 10 servers or 10,000,000 servers, so why not? And like Mark says, I hope this isn't a precursor of something larger.
And chasing down the references in the paper is quite the rabbit hole.
[3] https://arxiv.org/pdf/1807.08026.pdf