nanog mailing list archives
Very peculiar Telnet probing (possibly spoofed?)
From: Jeff Kell <jeff-kell () utc edu>
Date: Thu, 09 Sep 2004 01:48:40 -0400
I have been rather reluctant to post this as I had hoped it was just a fluke. But this has been going on for nearly two weeks. We are getting banged by telnet probes from SE Asian sites... over 1000 different ones in all attacking the same address range. I suspect but cannot prove that the packets are being spoofed as we are dropping (not resetting) the probes, yet they continue. There are repeated probes from the same IP address for about 15-20 minutes or more, then it moves along, but the resulting router logs blocking them looks initially random (from SE Asia sites). Is someone out there to make a bad statement for APNIC by spoofing the origins, or is this some co-ordinated attack/probe.
The high-order octed of the attackers is consistently within one of these /8 netblocks (though not evenly spread, and cluster around certain address blocks as shown). I haven't heard of anything like this (other than recent SSH brute force, but this is telnet).
I'm getting attacks from: 159.226.x.x 202.x.x.x 203.x.x.x 210.x.x.x 211.x.x.x 218.x.x.x 219.x.x.x 220.x.x.x 221.x.x.x 222.x.x.x 61.x.x.xAgain, thousands of probes, about 10-20/sec when they're on a roll. These are attacks on a /18 subnet with only a small subnet (our secured servers) that is in danger (we block/drop telnet inbound to dynamic NAT but accept for static server translations)..
It is almost as if someone were spoofing the asian addresses to 'simulate' an Asian attack, but what with the big bot-nets, I suppose that's a possibility too, but all these addresses (that I looked at) were SE Asian in origin.
After passing the 1000 scanner benchmarkk today, with some manual aggregation of obvious problem areas, it still continues.
Anyone else seeing this? We're getting this more often than the SSHD scans. Jeff Kell Systems/Network Security
Current thread:
- Re: Spammers Skirt IP Authentication Attempts, (continued)
- Re: Spammers Skirt IP Authentication Attempts Niels Bakker (Sep 06)
- Re: Spammers Skirt IP Authentication Attempts Peter Corlett (Sep 06)
- Re: Spammers Skirt IP Authentication Attempts Richard Welty (Sep 06)
- Re: Spammers Skirt IP Authentication Attempts Paul Vixie (Sep 06)
- Re: Spammers Skirt IP Authentication Attempts Mark Jeftovic (Sep 06)
- Re: Spammers Skirt IP Authentication Attempts Rich Kulawiec (Sep 08)
- Re: Spammers Skirt IP Authentication Attempts Michael . Dillon (Sep 08)
- Re: Spammers Skirt IP Authentication Attempts Richard Cox (Sep 08)
- Re: Spammers Skirt IP Authentication Attempts Suresh Ramasubramanian (Sep 08)
- Re: Spammers Skirt IP Authentication Attempts Paul Vixie (Sep 08)
- Very peculiar Telnet probing (possibly spoofed?) Jeff Kell (Sep 08)
- Re: Very peculiar Telnet probing (possibly spoofed?) Suresh Ramasubramanian (Sep 08)
- Re: Very peculiar Telnet probing (possibly spoofed?) Chris Brenton (Sep 09)
- Re: Spammers Skirt IP Authentication Attempts Mark Jeftovic (Sep 06)
- Re: Spammers Skirt IP Authentication Attempts [operational content at end] Rich Kulawiec (Sep 09)
- Re: Spammers Skirt IP Authentication Attempts Daniel Reed (Sep 08)
- Re: Spammers Skirt IP Authentication Attempts Stephane Bortzmeyer (Sep 10)
- Re: Spammers Skirt IP Authentication Attempts Joe Rhett (Sep 10)