The Boston Diaries

The ongoing saga of a programmer who doesn't live in Boston, nor does he even like Boston, but yet named his weblog/journal “The Boston Diaries.”

Go figure.

Thursday, January 29, 2026

I still don't understand this SYN attack, but now I can't block it easily

I did not get the memo that Windows uses an IP TTL of 128.

On the one hand, I was able to avoid that weird SYN attack I've been under for six years, quite a bit of spam, and less bad web bot activity for the past 24 hours. On the other hand, any legitimate traffic to my web site from Windows users was lost. On the gripping hand, is anybody using Windows to read my site? I don't know, but it was worrisome enough for me to remove the filter.

In the time it took me to type netstat -an (which displays all the network connections on the server) right after removing the filter, I had over 100 IP addresses in the SYN_RECV state:

tcp        0      0 66.252.224.242:443          45.227.45.210:36527         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.64:36909          SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.157:10968         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.69:52378          SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.170:45186         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.83:28792          SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.217:15376         SYN_RECV    
tcp        0      0 66.252.224.242:443          100.53.53.5:45160           SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.120:45659         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.133:16120         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.250:15675         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.232:47103         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.76:3458           SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.133:31970         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.246:8948          SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.160:24317         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.231:63452         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.152:28002         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.104:32878         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.247:40848         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.107:59699         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.243:61639         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.119:237           SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.221:19952         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.82:44089          SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.178:64103         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.243:36812         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.245:7855          SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.74:10217          SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.176:22833         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.112:40901         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.42:8195           SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.53:27914          SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.78:13638          SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.140:4838          SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.149:2145          SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.210:23419         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.201:1951          SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.82:53191          SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.185:39474         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.134:23672         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.207:26302         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.57:17502          SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.188:16945         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.164:58069         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.193:39283         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.117:35051         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.17:65005          SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.43:2512           SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.46:6447           SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.185:35912         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.180:9989          SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.88:55133          SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.183:55030         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.61:54573          SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.48:48487          SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.57:17238          SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.131:43127         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.90:61334          SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.1:8217            SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.85:27538          SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.146:64006         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.240:44936         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.180:49849         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.85:40926          SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.97:12475          SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.212:27106         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.120:947           SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.35:23887          SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.240:11661         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.108:47817         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.218:31611         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.57:49775          SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.54:63847          SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.71:4231           SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.136:49246         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.254:55247         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.206:24816         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.90:12459          SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.20:42069          SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.81:16082          SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.71:14432          SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.108:32404         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.135:39792         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.221:61593         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.125:28126         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.45:63681          SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.192:29278         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.195:58573         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.220:6026          SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.199:11577         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.246:3540          SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.117:19364         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.120:32256         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.140:43804         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.177:42411         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.182:46776         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.213:11141         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.187:11828         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.198:5337          SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.181:30734         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.142:20519         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.97:58468          SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.192:11928         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.157:24941         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.101:36884         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.117:5093          SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.112:22116         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.48:34003          SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.45.139:32440         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.119:63040         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.128:36298         SYN_RECV    
tcp        0      0 66.252.224.242:443          45.227.44.94:22124          SYN_RECV

Normally, I might see one or two such entries from netstat -an but not over 100. And as I've stated, this isn't enough to be an actual DoS or even a DDoS, but it is enough to be annoying. I can block the attack easily enough but it's a game of whack-a-mole—I can block 45.227.44.0/23 but in a few days, this will return from yet another Brazilian network, like 168.195.0.0/23 from the other day. And that's what I don't get about this—what is the end game here? What are the operators from this attack hoping to gain? From the comments I've received, one other person has seen a similar attack so at least I'm not alone in this. And I checked with some other customers at my hosting company and yes, they too are being hit with this attack.

The fact that this all stopped the second I filtered out IP packets with a TTL greater than 70 tells me this is from exploited Windows systems. Are they in fact actual Brazilian computers? Or Windows computers elsewhere forging IP addresses? Is this an SYN flood attack that might have worked 30 years ago but not on today's Internet?

I don't know.

All I do know is I wish I had a way to stop it. And what's the thought behind this attack?

Maybe it is indeed, worth adding the IP TTL filter back and just deal with no one using Windows being able to hit my site, just to avoid the crap traffic.

Discussions about this entry

Obligatory Picture

[Self-portrait with a Christmas Tree] Oh Chrismtas Tree! My Christmas Tree! Rise up and hear the bells!

Obligatory Contact Info

Obligatory Feeds

Obligatory Links

Obligatory Miscellaneous

Obligatory AI Disclaimer

No AI was used in the making of this site, unless otherwise noted.

You have my permission to link freely to any entry here. Go ahead, I won't bite. I promise.

The dates are the permanent links to that day's entries (or entry, if there is only one entry). The titles are the permanent links to that entry only. The format for the links are simple: Start with the base link for this site: https://boston.conman.org/, then add the date you are interested in, say 2000/08/01, so that would make the final URL:

https://boston.conman.org/2000/08/01

You can also specify the entire month by leaving off the day portion. You can even select an arbitrary portion of time.

You may also note subtle shading of the links and that's intentional: the “closer” the link is (relative to the page) the “brighter” it appears. It's an experiment in using color shading to denote the distance a link is from here. If you don't notice it, don't worry; it's not all that important.

It is assumed that every brand name, slogan, corporate name, symbol, design element, et cetera mentioned in these pages is a protected and/or trademarked entity, the sole property of its owner(s), and acknowledgement of this status is implied.

Copyright © 1999-2026 by Sean Conner. All Rights Reserved.