Re: [44net] Large increase in inbound suspicious traffic from public internet to systems on 44 net?

Hi Shawn, This is "pretty normal" (normal in a sence that I see this kind of traffic on all customer networks too when vacation times begin) Since the COVID-19 outbreak a lot of school have closed and ppl start working from home. But every time youngsters are on vacation, I see an increase in botnet/scans/hack traffic/attempts 73 Ruben ON3RVH -----Original Message----- From: 44Net <44net-bounces+on3rvh=on3rvh.be(a)mailman.ampr.org> On Behalf Of Shawn M Garringer via 44Net Sent: Thursday, March 12, 2020 17:30 To: 44net(a)mailman.ampr.org Cc: ampr(a)shawngarringer.org Subject: [44net] Large increase in inbound suspicious traffic from public internet to systems on 44 net? Hello group, I am wondering if anyone else is seeing the following: starting on 5 March 2020 and continuing through the present I have detected a large spike in inbound traffic to several of my AMPR 44 IP addresses (on 44.50.1.0/24).  The spike has been large enough that my logging ELK stack is struggling to keep up. This traffic is coming from the public internet.  Most of these are looking at standard ports 443, 80, 25, and 22.  These are being directed to IP addresses in my subnet that are not in use, and therefore are being dropped (but logged) at the firewall. Nothing is running on these IPs so there is no way the traffic is in response to anything I can find coming from my network. I realize devices periodically scan the "entire internet" but this is more than that... in one day I saw 100,000 TCP SYN from a single public IP address.  That is a significant spike and I am not certain why they sent so much traffic from a single IP to a single IP. Wondering if anyone else is seeing the same? 73 DE KC0AKY _________________________________________ 44Net mailing list 44Net(a)mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net