UID 99 (nobody) Tracking Hit - DST=88.221.134.194
Posted: 22 Nov 2018, 19:58
Hi,
Looking for some help from people if anyone has any idea.
Shortly before and during an inbound syn DDOS attack on https on my server yesterday I notice some weird alerts from CSF Firewall reporting weird outbound traffic.
The IP address is included in the logs as this is null routed and no longer in use.
I interpret the logs as my server was trying to make outbound connections to DST=88.221.134.194. This ip is an AKAMAI CDN IP address. These alerts were being sent every couple of minutes.
My provider have reported it was only an inbound SYN flood not a reflection attack.
Does anyone have an idea what was going on her and what us at DST=88.221.134.194.??
Thanks
Ant
Time: Wed Nov 21 22:38:01 2018 +0000
UID: 99 (nobody)
Hits: 11
Sample of port hits:
Nov 21 22:37:52 sierra kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=178.79.152.25 DST=88.221.134.194 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=54898 DF PROTO=TCP SPT=47470 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 UID=99 GID=99
Nov 21 22:37:53 sierra kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=178.79.152.25 DST=88.221.134.194 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=54899 DF PROTO=TCP SPT=47470 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 UID=99 GID=99
Nov 21 22:37:53 sierra kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=178.79.152.25 DST=88.221.134.194 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=44979 DF PROTO=TCP SPT=47476 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 UID=99 GID=99
Nov 21 22:37:54 sierra kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=178.79.152.25 DST=88.221.134.194 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=44980 DF PROTO=TCP SPT=47476 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 UID=99 GID=99
Nov 21 22:37:55 sierra kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=178.79.152.25 DST=88.221.134.194 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=6669 DF PROTO=TCP SPT=47480 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 UID=99 GID=99
Nov 21 22:37:56 sierra kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=178.79.152.25 DST=88.221.134.194 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=6670 DF PROTO=TCP SPT=47480 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 UID=99 GID=99
Nov 21 22:37:57 sierra kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=178.79.152.25 DST=88.221.134.194 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=25042 DF PROTO=TCP SPT=47484 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 UID=99 GID=99
Nov 21 22:37:58 sierra kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=178.79.152.25 DST=88.221.134.194 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=25043 DF PROTO=TCP SPT=47484 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 UID=99 GID=99
Nov 21 22:37:58 sierra kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=178.79.152.25 DST=88.221.134.194 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=13895 DF PROTO=TCP SPT=47488 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 UID=99 GID=99
Nov 21 22:37:59 sierra kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=178.79.152.25 DST=88.221.134.194 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=13896 DF PROTO=TCP SPT=47488 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 UID=99 GID=99
Nov 21 22:38:00 sierra kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=178.79.152.25 DST=88.221.134.194 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=35007 DF PROTO=TCP SPT=47492 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 UID=99 GID=99
Looking for some help from people if anyone has any idea.
Shortly before and during an inbound syn DDOS attack on https on my server yesterday I notice some weird alerts from CSF Firewall reporting weird outbound traffic.
The IP address is included in the logs as this is null routed and no longer in use.
I interpret the logs as my server was trying to make outbound connections to DST=88.221.134.194. This ip is an AKAMAI CDN IP address. These alerts were being sent every couple of minutes.
My provider have reported it was only an inbound SYN flood not a reflection attack.
Does anyone have an idea what was going on her and what us at DST=88.221.134.194.??
Thanks
Ant
Time: Wed Nov 21 22:38:01 2018 +0000
UID: 99 (nobody)
Hits: 11
Sample of port hits:
Nov 21 22:37:52 sierra kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=178.79.152.25 DST=88.221.134.194 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=54898 DF PROTO=TCP SPT=47470 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 UID=99 GID=99
Nov 21 22:37:53 sierra kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=178.79.152.25 DST=88.221.134.194 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=54899 DF PROTO=TCP SPT=47470 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 UID=99 GID=99
Nov 21 22:37:53 sierra kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=178.79.152.25 DST=88.221.134.194 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=44979 DF PROTO=TCP SPT=47476 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 UID=99 GID=99
Nov 21 22:37:54 sierra kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=178.79.152.25 DST=88.221.134.194 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=44980 DF PROTO=TCP SPT=47476 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 UID=99 GID=99
Nov 21 22:37:55 sierra kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=178.79.152.25 DST=88.221.134.194 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=6669 DF PROTO=TCP SPT=47480 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 UID=99 GID=99
Nov 21 22:37:56 sierra kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=178.79.152.25 DST=88.221.134.194 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=6670 DF PROTO=TCP SPT=47480 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 UID=99 GID=99
Nov 21 22:37:57 sierra kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=178.79.152.25 DST=88.221.134.194 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=25042 DF PROTO=TCP SPT=47484 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 UID=99 GID=99
Nov 21 22:37:58 sierra kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=178.79.152.25 DST=88.221.134.194 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=25043 DF PROTO=TCP SPT=47484 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 UID=99 GID=99
Nov 21 22:37:58 sierra kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=178.79.152.25 DST=88.221.134.194 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=13895 DF PROTO=TCP SPT=47488 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 UID=99 GID=99
Nov 21 22:37:59 sierra kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=178.79.152.25 DST=88.221.134.194 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=13896 DF PROTO=TCP SPT=47488 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 UID=99 GID=99
Nov 21 22:38:00 sierra kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=178.79.152.25 DST=88.221.134.194 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=35007 DF PROTO=TCP SPT=47492 DPT=80 WINDOW=29200 RES=0x00 SYN URGP=0 UID=99 GID=99