Skip to content

Incident: SYN scanning of prod #564

New issue
New issue
Open
Open
Incident: SYN scanning of prod#564
Assignees
nuclearcat
Labels
sysadmin
@nuclearcat

Description

@nuclearcat
nuclearcat
opened on Feb 16, 2026

I noticed numerous alerts and then strange TCP traffic that is interfering with prod-storage:

15:53:26.316341 IP 10.2.0.5.443 > 45.232.215.232.15979: Flags [S.], seq 2740203946, ack 2589947740, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:26.508326 IP 10.2.0.5.443 > 45.232.215.226.47278: Flags [S.], seq 4159683981, ack 436056479, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:26.512326 IP 10.2.0.5.443 > 45.232.215.226.16599: Flags [S.], seq 2148922005, ack 2640738760, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:26.572333 IP 10.2.0.5.443 > 45.232.215.227.15982: Flags [S.], seq 3273068686, ack 3993057119, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:26.685727 IP 45.232.215.225.17499 > 10.2.0.5.443: Flags [S], seq 3356433739, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:53:26.685742 IP 10.2.0.5.443 > 45.232.215.225.17499: Flags [S.], seq 1158885774, ack 3356433740, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:26.828355 IP 10.2.0.5.443 > 45.232.215.228.49499: Flags [S.], seq 2459425178, ack 3495533132, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:26.828368 IP 10.2.0.5.443 > 45.232.215.232.16380: Flags [S.], seq 1081581160, ack 3103865069, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:26.988329 IP 10.2.0.5.443 > 45.232.215.226.10067: Flags [S.], seq 1765959953, ack 3072073796, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:27.084328 IP 10.2.0.5.443 > 45.232.215.227.17669: Flags [S.], seq 3659296312, ack 2724863478, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:27.084342 IP 10.2.0.5.443 > 45.232.215.232.43557: Flags [S.], seq 940180160, ack 3350168342, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:27.141806 IP 45.232.215.225.17488 > 10.2.0.5.443: Flags [S], seq 3730005312, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:53:27.141830 IP 10.2.0.5.443 > 45.232.215.225.17488: Flags [S.], seq 2102033108, ack 3730005313, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:27.212326 IP 10.2.0.5.443 > 45.232.215.225.46696: Flags [S.], seq 697157215, ack 4061638489, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:27.344336 IP 10.2.0.5.443 > 45.232.215.228.17700: Flags [S.], seq 2558554673, ack 2695511573, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:27.500327 IP 10.2.0.5.443 > 45.232.215.226.46614: Flags [S.], seq 1735493651, ack 3338456839, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:27.596327 IP 10.2.0.5.443 > 45.232.215.227.46277: Flags [S.], seq 1330860632, ack 3552087478, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:27.596347 IP 10.2.0.5.443 > 45.232.215.232.47537: Flags [S.], seq 620248681, ack 2547315362, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:27.628555 IP 45.232.215.225.16867 > 10.2.0.5.443: Flags [S], seq 3514071763, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:53:27.628575 IP 10.2.0.5.443 > 45.232.215.225.16867: Flags [S.], seq 3989820395, ack 3514071764, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:27.692331 IP 10.2.0.5.443 > 45.232.215.225.17499: Flags [S.], seq 1158885774, ack 3356433740, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:27.852330 IP 10.2.0.5.443 > 45.232.215.228.49838: Flags [S.], seq 755864492, ack 3254778783, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:28.048327 IP 10.2.0.5.443 > 45.232.215.226.47065: Flags [S.], seq 2267974661, ack 597348554, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:28.108343 IP 10.2.0.5.443 > 45.232.215.227.42894: Flags [S.], seq 3349967289, ack 3390349439, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:28.127061 IP 45.232.215.225.14901 > 10.2.0.5.443: Flags [S], seq 1263285029, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:53:28.127080 IP 10.2.0.5.443 > 45.232.215.225.14901: Flags [S.], seq 1085070635, ack 1263285030, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:28.172332 IP 10.2.0.5.443 > 45.232.215.225.17488: Flags [S.], seq 2102033108, ack 3730005313, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:28.364328 IP 10.2.0.5.443 > 45.232.215.231.43708: Flags [S.], seq 2918819268, ack 4084712365, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:28.524327 IP 10.2.0.5.443 > 45.232.215.226.47278: Flags [S.], seq 4159683981, ack 436056479, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:28.605602 IP 45.232.215.225.11364 > 10.2.0.5.443: Flags [S], seq 1066673492, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:53:28.605623 IP 10.2.0.5.443 > 45.232.215.225.11364: Flags [S.], seq 1762659105, ack 1066673493, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:28.656327 IP 10.2.0.5.443 > 45.232.215.225.16867: Flags [S.], seq 3989820395, ack 3514071764, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:29.077126 IP 45.232.215.225.48445 > 10.2.0.5.443: Flags [S], seq 4076320301, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:53:29.077142 IP 10.2.0.5.443 > 45.232.215.225.48445: Flags [S.], seq 3803350188, ack 4076320302, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:29.132324 IP 10.2.0.5.443 > 45.232.215.228.15840: Flags [S.], seq 3258301958, ack 3284752081, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:29.132327 IP 10.2.0.5.443 > 45.232.215.226.13968: Flags [S.], seq 700891921, ack 2471120769, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:29.132336 IP 10.2.0.5.443 > 45.232.215.231.48629: Flags [S.], seq 2689341780, ack 1943852774, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:29.132342 IP 10.2.0.5.443 > 45.232.215.225.14901: Flags [S.], seq 1085070635, ack 1263285030, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:29.228325 IP 10.2.0.5.443 > 45.232.215.225.46696: Flags [S.], seq 697157215, ack 4061638489, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:29.455967 IP 45.232.215.225.49524 > 10.2.0.5.443: Flags [S], seq 77380196, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:53:29.455985 IP 10.2.0.5.443 > 45.232.215.225.49524: Flags [S.], seq 1997943706, ack 77380197, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:29.612328 IP 10.2.0.5.443 > 45.232.215.225.11364: Flags [S.], seq 1762659105, ack 1066673493, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:29.644331 IP 10.2.0.5.443 > 45.232.215.228.48039: Flags [S.], seq 1305040059, ack 3625366680, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:29.644331 IP 10.2.0.5.443 > 45.232.215.226.47646: Flags [S.], seq 3653609187, ack 1820439311, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:29.644343 IP 10.2.0.5.443 > 45.232.215.231.44849: Flags [S.], seq 3259224027, ack 407939106, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:29.708333 IP 10.2.0.5.443 > 45.232.215.225.17499: Flags [S.], seq 1158885774, ack 3356433740, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:29.761443 IP 45.232.215.225.14954 > 10.2.0.5.443: Flags [S], seq 3530642266, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:53:29.761465 IP 10.2.0.5.443 > 45.232.215.225.14954: Flags [S.], seq 677576847, ack 3530642267, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:29.904323 IP 10.2.0.5.443 > 45.232.215.226.50648: Flags [S.], seq 1326636753, ack 2407177929, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:30.092327 IP 10.2.0.5.443 > 45.232.215.225.48445: Flags [S.], seq 3803350188, ack 4076320302, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:30.156327 IP 10.2.0.5.443 > 45.232.215.226.10048: Flags [S.], seq 1423610869, ack 1504190513, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:30.156327 IP 10.2.0.5.443 > 45.232.215.228.16357: Flags [S.], seq 4169462343, ack 1122908374, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:30.156341 IP 10.2.0.5.443 > 45.232.215.231.45645: Flags [S.], seq 338745037, ack 1350806334, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:30.188330 IP 10.2.0.5.443 > 45.232.215.225.17488: Flags [S.], seq 2102033108, ack 3730005313, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:30.239558 IP 45.232.215.225.14041 > 10.2.0.5.443: Flags [S], seq 2092502985, win 65535, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
15:53:30.239579 IP 10.2.0.5.443 > 45.232.215.225.14041: Flags [S.], seq 997784734, ack 2092502986, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:53:30.480327 IP 10.2.0.5.443 > 45.232.215.225.49524: Flags [S.], seq 1997943706, ack 77380197, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0

For now i will block offending ip subnets.

Metadata

Metadata

Assignees

Labels

sysadmin

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions