does this sound like a DDOS attack?
Posted on 2013-12-18
I have an SHDSL service with a static IP address. There is a watchguard firebox appliance protecting the network. I don't host anything from this service, but I do point an MX record to the IP address. So port 25 is open, but most other ports are closed.
About 6 weeks ago, I started to notice about 60-70,000 hits a day, almost always to UDP ports with high numbers - 28502 for example - from many many different IP addresses.
The ports that are hit seem to go in waves - there'll be 36 hours of address 28502, then it will change to 6881, then 63535, 27392 etc. Each address will get a hammering, then they move on to the next address. Eventually, they return to the same addresses again.
My appliance is blocking all these requests, so nothing bad has happened. I'm just looking for some advice. What are they trying to acheive? Is it a port scan? if so, wouldn't they have given up by now?
I asked my ISP about it. He told me I must be running some P2P software internally. I'm not. He then told me not to worry about it. That many hits per day would not be affecting my service level.
I've been considering getting my IP address changed - bit of a hassle as the MX record points to it - but was just wondering - is this kind of thing normal on today's internet? Should I just expect to get 70,000 hits per day of people 'trying it on'?
Any opinions/advice would be most welcome.