I manage newgrounds.com which gets quite a bit of traffic. We'll get what I think are DDoS attacks at least once a month. I can see our connection tracking stats go up to the millions and traffic spikes way up of course.

I don't know WHY they do this, but last time it happened we got an abuse report saying that we were reported for port scanning from our main firewall / proxy box. Somehow they had reflected traffic off our firewall / proxy to make it try to connect to a bunch of IPs on a known trojan port.

I have no idea how they did this, but it appears that this time around we were being used to scan ports. This is just a stock Debian box with a firewall and port 80 open. Scary.

> I don't know WHY they do this, but last time it happened we got an abuse report saying that we were reported for port scanning from our main firewall / proxy box. Somehow they had reflected traffic off our firewall / proxy to make it try to connect to a bunch of IPs on a known trojan port.

How did you solve it?

Not sure it's solved, but I added some additional firewall rules to block certain types of ICMP packets that they were sending and added some additional logging for when it happens again.

They wouldn't necessarily have received useful data from it. Consider what happens if you spoof the sender IP and port in the first packet of a TCP handshake: the recipient will send a response to the spoofed IP, making it look like they are the bad guys.

Someone isn't filtering Martians properly, or those spoofed packets would have been filtered before they reached you.

Yeah that's what so confusing about this.

I'm filtering martians/bogons, which I see getting blocked constantly.

Burying exploitation attempts in the logs with a flood of api requests?

Could be a shakedown.

Advertisement/testing for their botnet.

Skiddies gon' skid