So far, I have had the following IP's become what I assume is the brunt end of a spoofed SYN flood attack:
139.99.118.123 <- observed from a server where I could not block - lasted almost 4 hours! 45.195.133.8 149.56.180.254
Not sure what the connection is, but if someone knows, feel free to let me know.
Not sure what to make of it yet.
Update Oct 1 2018
The spoofing continues.
Seems to now include some Cloudflare, Google User Content, and random other targets.
The rotating behavior is new as well.
Much of the hate seems directed at:
104.27.154.184 - with other hosts in rotation (off and then on again short burst attacks). 35.229.174.32 - seems to be in second place for the disdain. others... (the burst ones that seem only to be attacked from 1 to 5 minutes at a shot over a 20 to 40 minute interval) 23.247.6.249 35.201.183.114 35.229.174.32 103.37.233.28 103.239.30.128 103.37.233.28 103.49.209.135 103.74.194.188 103.91.58.12 134.175.181.91 149.56.154.192 149.56.154.193 149.56.154.194 149.56.154.195 149.56.180.252 149.56.180.252 149.56.180.253 149.56.180.255 154.85.11.21 167.114.41.148 167.114.41.149 167.114.41.150 167.114.41.150 198.44.230.98 203.205.158.12 203.205.158.22 203.205.158.24 203.205.158.25 203.205.158.44