So for over 2 weeks, Im receiving what appears a combination of attacks non-stop 24/7.
First this UDP flood at a strangely small rate of 280 Kbps / 110 pps (360 bytes length)
02:29:41.978484 IP (tos 0x0, ttl 48, id 56020, offset 0, flags [DF], proto UDP (17), length 360)
120.xxx.xxx.xxx.15070 > 200.xxx.xxx.xxx.7072: [udp sum ok] UDP, length 332
0x0030: fefe 7f7f fefe 7f7f fffe ff7f fffe fe7f ................
0x0040: 7ffe fe7f 7ffe ff7f 7eff feff ff7e fefe ........~....~..
0x0050: ff7e 7ffe ffff 7e7f feff 7f7e fffe 7f7f .~....~....~....
0x0060: 7efe ffff 7e7f fefe ff7e ffff ffff 7efe ~...~....~....~.
0x0070: ff7f 7e7f feff 7f7e ffff 7f7e 7ffe 7f7e ..~....~...~...~
0x0080: 7eff ffff 7e7f feff 7e7e feff 7f7e ffff ~...~...~~...~..
0x0090: ff7f ffff 7f7e fffe 7f7f 7efe ff7f 7ffe .....~....~.....
0x00a0: fe7f 7f7f fefe 7f7e fffe ff7f 7efe feff .......~....~...
0x00b0: 7eff feff 7f7e fffe ff7f 7ffe feff 7efe ~....~........~.
0x00c0: feff 7e7f feff ff7f fefe 7f7f 7ffe fe7f ..~.............
0x00d0: 7e7f feff 7f7f fefe 7f7e fefe ff7e feff ~........~...~..
0x00e0: 7f7e ffff ff7e fffe ff7f 7ffe ff7f 7eff .~...~........~.
0x00f0: feff 7f7e fffe 7f7e 7efe ff7f 7e7f fefe ...~...~~...~...
0x0100: 7f7e 7fff ff7f 7fff fe7f 7e7f feff 7e7e .~........~...~~
0x0110: fffe 7f7e 7ffe 7f7e 7eff fe7f 7e7e fefe ...~...~~...~~..
0x0120: 7f7e fffe ff7e 7efe ff7f 7eff ff7f 7efe .~...~~...~...~.
0x0130: ff7f 7eff feff 7fff feff 7e7f feff 7e7e ..~.......~...~~
0x0140: fefe ff7f 7ffe feff 7f7e fefe 7f7e fffe .........~...~..
0x0150: fe7f 7ffe feff ff7f fefe ff7f fffe feff ................
0x0160: 7ffe fefe 7f7f fefe ........
These are non stop packets with same port destination and same source IP.
Simultaniously, Im getting hit at a combination of random TCP ports + port 445, at a smaller rate of 5 packets per second. They just seem to be SYN scanners / 445 port knocking attempt.
43.xxx.xxx.xxx.1000 > 200.xxx.xxx.xxx.40476: Flags [S.], cksum 0xaee4 (incorrect -> 0xaedc), seq xxx:xxx, ack xxx, win 8760, length 8
02:30:49.862649 IP (tos 0x0, ttl 239, id 19108, offset 0, flags [DF], proto TCP (6), length 48)
43.xxx.xxx.xxx.1000 > 200.xxx.xxx.xxx.9752: Flags [S.], cksum 0x4dcf (incorrect -> 0x4dc7), seq xxx:xxx, ack xxx, win 8760, length 8
02:30:50.644298 IP (tos 0x0, ttl 239, id 61707, offset 0, flags [DF], proto TCP (6), length 48)
43.xxx.xxx.xxx.1000 > 200.xxx.xxx.xxx.22728: Flags [S.], cksum 0x9ee6 (incorrect -> 0x9ede), seq xxx:xxx, ack xxx, win 8760, length 8
02:31:11.700387 IP (tos 0x48, ttl 106, id 18219, offset 0, flags [DF], proto TCP (6), length 52)
Now begins 445 probes...
36.xxx.xxx.xxx.63133 > 200.xxx.xxx.xxx.445: Flags [S], cksum 0x5f48 (correct), seq xxx:xxx, ack xxx, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
02:31:21.049800 IP (tos 0x0, ttl 106, id 3996, offset 0, flags [DF], proto TCP (6), length 52)
123.xxx.xxx.xxx.7264 > 200.xxx.xxx.xxx.445: Flags [S], cksum 0x745e (correct), seq seq xxx:xxx, ack xxx, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
02:31:32.355143 IP (tos 0x48, ttl 110, id 2945, offset 0, flags [DF], proto TCP (6), length 52)
45.xxx.xxx.xxx.61134 > 200.xxx.xxx.xxx.445: Flags [S], cksum 0xda92 (correct), seq xxx:xxx, ack xxx, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
02:31:33.441688 IP (tos 0x28, ttl 109, id 8648, offset 0, flags [DF], proto TCP (6), length 52)
Simultaneously too, there is a ~3 packets per second to 4 ports in the range 5000-5100.
02:51:50.124083 IP 49.xxx.xxx.xxx.5060 > 200.xxx.xxx.xxx.50xx: SIP, length: 364
02:51:50.278002 IP 49.xxx.xxx.xxx.5060 > 200.xxx.xxx.xxx.50xx: SIP, length: 371
02:51:51.202326 IP 221.xxx.xxx.xxx.5060 > 200.xxx.xxx.xxx.50xx: SIP, length: 364
02:51:54.078075 IP 49.xxx.xxx.xxx.5060 > 200.xxx.xxx.xxx.50xx: SIP, length: 360
02:51:54.123284 IP 49.xxx.xxx.xxx.5060 > 200.xxx.xxx.xxx.50xx: SIP, length: 364
02:51:54.314175 IP 49.xxx.xxx.xxx.5060 > 200.xxx.xxx.xxx.50xx: SIP, length: 371
On top of that, every 1 hour or so, there is a rapid 300 packets per second SYN probe from a single IP to multiple hosts in my subnet, including my DNS server provider.
01:40:42.257034 IP 43.xxx.xxx.xxx.9594 > 200.xxx.xxx.xxx.25792: Flags [S.], seq xxx:xxx, ack xxx, win 8760, length 8
01:40:42.257243 IP 43.xxx.xxx.xxx.9594 > 200.xxx.xxx.xxx.62826: Flags [S.], seq xxx:xxx, ack xxx, ack xxx, win 8760, length 8
01:40:42.258176 IP 43.xxx.xxx.xxx.9594 > 200.xxx.xxx.xxx.2613: Flags [S.], seq xxx:xxx, ack xxx, win 8760, length 8
01:40:42.258203 IP 43.xxx.xxx.xxx.9594 > 200.xxx.xxx.xxx.6335: Flags [S.], seq xxx:xxx, ack xxx, win 8760, length 8
01:40:42.258890 IP 43.xxx.xxx.xxx.9594 > DNS.provider: Flags [S.], seq xxx:xxx, ack xxx, win 8760, length 8
01:40:42.258921 IP 43.xxx.xxx.xxx.9594 > 200.xxx.xxx.xxx.32031: Flags [S.], seq xxx:xxx, ack xxx, win 8760, length 8
ALL my ports are filtered (DROP), including blocking UDP, ICMP completly. This is an isolated machine that eventually will open port 80.
So the question Im interested in is this 280 Kbps UDP flood. What purpose is it serving? Is it a DDoS warning sign?
Combined all IPs, there have been over +5000 unique IPs (I was also attempted to SSH brute force when I open 22, 5GB log)