Si tratta di un allagamento SYN falsificato?
A prima vista, questo potrebbe sembrare un attacco. Un utente malintenzionato può avviare un SYN Flood senza utilizzare il suo vero indirizzo IP. Un attaccante crea un pacchetto con un IP di origine di un IP noto come quello di un server dns blackhole. Il tuo server potrebbe esaurire le risorse mentre tenti di rispondere con un pacchetto SYN-ACK.
Come posso dire
Se il tuo server risponde con un pacchetto SYN-ACK, probabilmente il pacchetto originale è falso se il server non risponde con un pacchetto ACK finale.
Perché visualizzo il traffico TCP per DNS?
Per RFC6305
A request sent to one of these servers will result in a response being returned to the client. The response will typically be a UDP datagram, although it's perfectly valid for requests to be made over TCP. In both cases, the source port of packets returning to the site that originated the DNS request will be 53.
Spiegazioni fornite da RFC6305
La sezione 6 di RFC6305 fornisce ulteriori spiegazioni sul motivo per cui potresti visualizzare questo traffico.
-
Inbound Traffic from AS112 Servers
Where firewalls or intrusion detection systems (IDSs) are
configured to block traffic received from AS112 servers,
superficial review of the traffic may seem alarming to site
administrators.
Since requests directed ultimately to AS112 servers are usually
triggered automatically by applications, review of firewall logs
may indicate a large number of policy violations occurring over an
extended period of time.
Where responses from AS112 servers are blocked by firewalls, hosts
will often retry, often with a relatively high frequency. This
can cause inbound traffic to be misclassified as a denial-of-
service (DoS) attack. In some cases, the source ports used by
individual hosts for successive retries increase in a predictable
fashion (e.g. monotonically), which can cause the replies from the
AS112 server to resemble a port scan.
A site administrator may attempt to perform active measurement of
the remote host in response to alarms raised by inbound traffic,
e.g. initiating a port scan in order to gather information about
the host which is apparently attacking the site. Such a scan will
usually result in additional inbound traffic to the site
performing the measurement, e.g., an apparent flood of ICMP
messages that may trigger additional firewall alarms and obfuscate
the process of identifying the originally problematic traffic.