* * * * * The continuing sage of the Brazilian SYN flood attack The SYN attacks have not abated [1]. I thought they had—for the past 36 hours or so it was quiet but no, it picked back up again. But in the mean time, I did find one person having the same issues about 18 months ago: “A SYN flood DDoS (Distributed Denial of Service) attack up close and personal [2]” and “My DDoS attack: the rest of the story [3].” It's not anything I didn't already know. I also received email from someone else under this attack, and after a bit of discussion some theories were offered: > From: Koro > To: Sean Conner > Subject: Re: SYN attack > Date: Sat, 14 Feb 2026 22:33:11 -0500 > > … > > Given that it's the same subnets at the same time on different servers > (geographically diverse), I don't think they notice if a single host blocks > them, they probably just spray the entire Internet from one or more > subnets, and switch it up when that becomes less effective. > > I have two theories as to what it could be: > > 1. Attempting to get Brazil blocked everywhere, as some sort of “reverse > Chinese firewall”, by lowering their IP (Internet Protocol) ranges' > reputation until everything either treats them as untrusted or outright > blocks them by default. Possibly by spoofing source IPs altogether. > > 2. Data collection. Assuming they can receive the ACK responses, it would > allow them to keep a live map of which hosts have HTTPS (HyperText Transfer > Protocol Secure) open, and for hosts which end up blocking them, the > correlation between them. For example, I update my blocklists on the first > server, and once everything from today is blocked, copy them over to the > two other servers. Those servers are otherwise completely unrelated: > different geographical locations, hosting companies, IP subnets, domain > names. From the attacker's POV (Point Of View) however, they always go dark > at almost the same time, which indicates a strong correlation between them. > This data could be very valuable if collected over a long period of time, > and resold. > > Another interesting thing, is that on one of my servers, the one in Europe, > one time, I found the same kind of attack happening, but this time, it was > hosts from subnets all located in Turkey. Blocked them all, then it did not > come back again. However, the attack had the same ”signature”, which makes > me belive the attacker(s) can choose their source country at will. > > … > As for the first theory—which country (or organization) has it out for Brazil to go to such lengths? As for the second one—it's possible but I'm not sure for what end. What could be valuable enough to scan the Internet this way when one could just cross check IP addresses and routing ASN (Autonomous System Number)s? Seems like more trouble than it's worth. Anyway, around the time I had this email exchange, I was also talking about this to my friend Smirk (disclaimer: he runs the hosting company I'm using for this site) and he suggested I just use Cloud Flare for filtering this bogus traffic. I could, but that's just consolidating the Internet even more and I don't want to be a party of that. I'm weird that way I guess (as I adjust my tin-foil hat). So as the attacks come from different blocks, I add them to the ever growing list of blocks in the firewall (around 30 so far). And I still have no good idea for why they happen. [1] gopher://gopher.conman.org/0Phlog:2026/01/29.1 [2] https://www.dgregscott.com/a-syn-flood-ddos-attack-up-close-and-personal/ [3] https://www.dgregscott.com/my-ddos-attack-the-rest-of-the-story/ Email Sean Conner at sean@conman.org .