Port 22 source traffic
Over the last few days, I've seen a server being flooded by packets from a small number of IP addresses with source port 22 and destination port either 25 or 80 (both ports are open to the public on said server).

It looks like some kind of SYN flood attack, but the source port makes it look like some kind of reflection attack, targeting the (spoofed?) source address's SSH server. On the other hand, the packet size is 68, with the responses being 56 bytes big, so that makes it a really daft reflection attack.

Any ideas what's going on here?

5 Posts
Every time I see someone asking this question (and I've asked it a few times myself), I never see an answer. Nobody in the world knows what this is or *might* be? Ron

29 Posts
My guess is (hard to tell without seeing full packets) that they are looking for lazy/stateless firewall rules. A sysadmin may have just configured the firewall to allow port 22 inbound/outbound to allow the server to connect to other hosts via SSH, and by using ssh as a source port, the attacker hopes to take advantage of such a rule. This will not work in most modern firewalls if they are properly configured. Johannes

4600 Posts
ISC Handler
It's been more than 10 months and I don't have the packets any more (the attack, if that's what it was, has long stopped), but this explanation makes sense. Thanks. Martijn

5 Posts

Sign Up for Free or Log In to start participating in the conversation!