On 8/16/19 3:50 PM, Emille Blanc wrote:
Thanks for the various responses. The pattern I (and apparently quite a
few others) are seeing differs from an ordinary probe in that it is
repeated a few times per second (if somebody wants to know who has a
visible ssh server on port 22, and what version of sshd is running, they
don't have to hit it multiple times per second). It differs from a SYN
flood DoS attack in that its rate is too low to be effective. And it
differs from both a port probe and a SYN flood attack (or somebody
"learning how to use nmap") in that it is targeting a broad set of
destinations in parallel
Seen a similar pattern a few years ago. Discovered it's a couple of students basically developing mass scanning software for a bachelor's degree who forgot to turn the running code off production before the summer break.
That's the white noise of the Internet. Unless it's hitting you multiple thousand times/s as opposed to multiple times/s, it's only a matter of unpaid curiosity to start figuring out the reason. I guess Amazon or microsoft dot com have quite a museum of that staff.
--
Töma