The Boston Diaries

The ongoing saga of Sean Conner, who doesn't live in Boston, nor does he even like Boston, but yet named his weblog/journal “The Boston Diaries.”

Go figure.

Wednesday, March 18, 2026

More notes on the Brazilian SYN attacks

One thing I forgot to mention yesterday was this observation from the Brazilian cybersecurity researcher who emailed me:

I've stood up a small sensor network, and so far I've captured data on two incidents. Both were observed from a sensor in São Paulo that responds on port 443 with a valid TLS certificate and a domain name. Two other sensors of mine were not hit: one in São Paulo that listens on 443 but has no domain name or valid certificate, and one in London with no server on 443 at all.

That's a tiny sample size and could be coincidence, but it lines up with comments I've seen suggesting that this actor only targets hosts that actually respond on 443. The TLS-certificate angle makes me wonder whether they're pulling target lists from Certificate Transparency logs.

Again, that makes sense given that all the SYN attacks have been directed towards the secure HTTP port. Checking certificate transparency logs is an easy way to find active servers that can be used for a SYN amplification attack.

But another weird thing I noticed—the Brazilian SYN attacks against my server have seemingly stopped. I haven't seen one forged SYN packet for over 24 hours. I don't think my reporting on it would effect that, but perhaps after detecting that I'm blocking the packets they gave up on my server? A potential botnet that was being used got taken down? Very strange indeed … Nope. They're still happening. Sigh.

Obligatory Picture

[Self-portrait with a Christmas Tree] Oh Chrismtas Tree! My Christmas Tree! Rise up and hear the bells!

Obligatory Contact Info

Obligatory Feeds

Obligatory Links

Obligatory Miscellaneous

Obligatory AI Disclaimer

No AI was used in the making of this site, unless otherwise noted.

You have my permission to link freely to any entry here. Go ahead, I won't bite. I promise.

The dates are the permanent links to that day's entries (or entry, if there is only one entry). The titles are the permanent links to that entry only. The format for the links are simple: Start with the base link for this site: https://boston.conman.org/, then add the date you are interested in, say 2000/08/01, so that would make the final URL:

https://boston.conman.org/2000/08/01

You can also specify the entire month by leaving off the day portion. You can even select an arbitrary portion of time.

You may also note subtle shading of the links and that's intentional: the “closer” the link is (relative to the page) the “brighter” it appears. It's an experiment in using color shading to denote the distance a link is from here. If you don't notice it, don't worry; it's not all that important.

It is assumed that every brand name, slogan, corporate name, symbol, design element, et cetera mentioned in these pages is a protected and/or trademarked entity, the sole property of its owner(s), and acknowledgement of this status is implied.

Copyright © 1999-2026 by Sean Conner. All Rights Reserved.