nanog mailing list archives
Re: how to deal with port scan and brute force attack from AS 8075 ?
From: Bacon Zombie <baconzombie () gmail com>
Date: Thu, 31 Mar 2016 11:36:51 +0200
I would ignore the portscans since there is nothing wrong with portscanning
the Internet.
Install fail2ban {don't forgot to whitelist your management static IPs}.
You may want to increase the default bantime and findtime {how far back to
search logs}.
On 31 Mar 2016 11:06, "Todd Crane" <todd.crane () n5tech com> wrote:
I must have missed that… my bad.On Mar 31, 2016, at 2:01 AM, Dan Hollis <goemon () sasami anime net> wrote: It's right there in his email: "We have sent email to abuse () microsoft com, but no answer." -Dan On Thu, 31 Mar 2016, Todd Crane wrote:Oh and, I’m assuming you contacted Microsoft’s abuse? If not, it’s not cool,not to mention unprofessional, to publicly call them out on such a public forum without giving them an opportunity to correct it first.On Mar 31, 2016, at 1:15 AM, Todd Crane <todd.crane () n5tech com> wrote: Marcel Depending on what is on those machines, I would just recommend usingfail2ban. The default is that if an ip address fails ssh auth 3 times in 5 minutes, their ip gets blocked via iptables for 5 minutes. This is enough to thwart most scripted attacks, especially those from a certain government in Asia. This is configurable to various applications, timing schemes, and blocking/jailing mechanisms.-ToddOn Mar 31, 2016, at 1:02 AM, marcel.duregards--- via NANOG <nanog () nanog org> wrote:Dear Nanog'er, We are facing a lot of port scan and brute force attack on port 22(butnot limited to) from Microsoft AS 8075 range toward our own infra, or toward our customers. We have sent email to abuse () microsoft com, but no answer. source ip are: NetRange: 40.74.0.0 - 40.125.127.255 CIDR: 40.74.0.0/15, 40.112.0.0/13, 40.124.0.0/16, 40.76.0.0/14, 40.80.0.0/12, 40.125.0.0/17, 40.96.0.0/12,40.120.0.0/14NetName: MSFT We consider port scan and brute force on ssh port as an attack, andevenas a pre-DDOS phase (could be use to install botnet, detect unpatched host, and so one). It's one thing to propose services and make money over an infra, it'sanother thing to take care that you clients do not use this infra tomakeillegal stuffs. How do you deal with such massive amount of 'illegal' traffic ? Thank, Best Regards Marcel He are some examples (we have more than 3000 such packets per day just from them, probably Azure), and source ip is always differents ofcourse:Flow Filtering Expression src AS 8075 and dst port 22 and packets=1 Limit Flows 40000 Sorting By Date Date_first_seen Duration Proto _IP_Addr:Port Dst_IP_Addr:Port Flags Packets 2016-02-29 14:55:20.108 0.000 6 104.45.210.69:1160 -> x.x.231:22 ...... 1 2016-02-29 14:55:20.611 0.000 6 104.45.210.69:1161 -> x.x.231:22 ...... 1 2016-02-29 14:56:41.004 0.000 6 40.76.55.204:1090 -> x.x..14:22 ...... 1 2016-02-29 14:56:41.324 0.000 6 40.76.55.204:1091 -> x.x..14:22 ...... 1 2016-02-29 15:00:05.670 0.000 6 40.76.55.204:1088 -> x.x.125:22 ...... 1 2016-02-29 15:00:06.003 0.000 6 40.76.55.204:1089 -> x.x.125:22 ...... 1 2016-02-29 15:01:17.358 0.000 6 40.76.70.58:1168 -> x.x..80:22 ...... 1 2016-02-29 15:01:17.676 0.000 6 40.76.70.58:1169 -> x.x..80:22 ...... 1 2016-02-29 15:02:42.637 0.000 6 40.76.55.204:1176 -> x.x.193:22 ...... 1 2016-02-29 15:02:42.878 0.000 6 40.76.55.204:1177 -> x.x.193:22 ...... 1 2016-02-29 15:02:48.067 0.000 6 104.45.210.69:1160 -> x.x.173:22 ...... 1 2016-02-29 15:02:48.394 0.000 6 104.45.210.69:1161 -> x.x.173:22 ...... 1 2016-02-29 15:03:18.854 0.000 6 40.121.53.153:1041 -> x.x..88:22 ...... 1 2016-02-29 15:03:19.172 0.000 6 40.121.53.153:1042 -> x.x..88:22 ...... 1 2016-02-29 15:06:36.248 0.000 6 40.76.55.204:1056 -> x.x..45:22 ...... 1 2016-02-29 15:07:31.882 0.000 6 40.76.80.17:44895 -> x.x..75:22 ...... 1 2016-02-29 15:07:32.245 0.000 6 40.76.80.17:44896 -> x.x..75:22 ...... 1 2016-02-29 15:09:08.433 0.000 6 40.76.70.58:1168 -> x.x..31:22 ...... 1 2016-02-29 15:09:08.744 0.000 6 40.76.70.58:1169 -> x.x..31:22 ...... 1 2016-02-29 15:11:45.668 0.000 6 40.76.80.17:47993 -> x.x.157:22 ...... 1 2016-02-29 15:11:45.987 0.000 6 40.76.80.17:47994 -> x.x.157:22 ...... 1 2016-02-29 15:12:09.543 0.000 6 40.76.70.58:1168 -> x.x..24:22 ...... 1 2016-02-29 15:12:09.925 0.000 6 40.76.70.58:1169 -> x.x..24:22 ...... 1 2016-02-29 15:17:05.920 0.000 6 40.76.70.58:1168 -> x.x.243:22 ...... 1 2016-02-29 15:17:06.241 0.000 6 40.76.70.58:1169 -> x.x.243:22 ...... 1 2016-02-29 15:19:21.364 0.000 6 40.83.121.211:62936 -> x.x..81:22 ...... 1 2016-02-29 15:19:21.704 0.000 6 40.83.121.211:62937 -> x.x..81:22 ...... 1 2016-02-29 15:19:45.891 0.000 6 40.76.70.58:1168 -> x.x..39:22 ...... 1 2016-02-29 15:19:46.273 0.000 6 40.76.70.58:1169 -> x.x..39:22 ...... 1 2016-02-29 15:21:52.030 0.000 6 40.76.70.58:1168 -> x.x.120:22 ...... 1 2016-02-29 15:21:52.349 0.000 6 40.76.70.58:1169 -> x.x.120:22 ...... 1 2016-02-29 15:24:07.614 0.000 6 40.76.55.204:1048 -> x.x.237:22 ...... 1 2016-02-29 15:24:07.933 0.000 6 40.76.55.204:1128 -> x.x.237:22 ...... 1 2016-02-29 15:27:31.289 0.000 6 40.121.53.153:1041 -> x.x.133:22 ...... 1 2016-02-29 15:27:31.544 0.000 6 40.121.53.153:1042 -> x.x.133:22 ...... 1 2016-02-29 15:27:59.120 0.000 6 40.76.70.58:1168 -> x.x.9.3:22 ...... 1 2016-02-29 15:27:59.440 0.000 6 40.76.70.58:1169 -> x.x.9.3:22 ...... 1 2016-02-29 15:29:30.933 0.000 6 40.76.70.58:1168 -> x.x.211:22 ...... 1 2016-02-29 15:29:31.031 0.000 6 40.76.70.58:1169 -> x.x.211:22 ...... 1 2016-02-29 15:29:33.729 0.000 6 40.76.55.204:1142 -> x.x.166:22 ...... 1 2016-02-29 15:29:34.032 0.000 6 40.76.55.204:1143 -> x.x.166:22 ...... 1 2016-02-29 15:31:41.947 0.000 6 40.76.70.58:1168 -> x.x.137:22 ...... 1 2016-02-29 15:31:42.266 0.000 6 40.76.70.58:1169 -> x.x.137:22 ...... 1 2016-02-29 15:32:10.044 0.000 6 40.121.53.153:1041 -> x.x..71:22 ...... 1 2016-02-29 15:32:10.348 0.000 6 40.121.53.153:1042 -> x.x..71:22 ...... 1 2016-02-29 15:32:10.442 0.000 6 104.45.210.69:1161 -> x.x.246:22 ...... 1 2016-02-29 15:32:10.475 0.000 6 104.45.210.69:1160 -> x.x.246:22 ...... 1 2016-02-29 15:32:29.165 0.000 6 40.121.143.132:1040 -> x.x..62:22 ...... 1 2016-02-29 15:32:29.466 0.000 6 40.121.143.132:1041 -> x.x..62:22 ...... 1 2016-02-29 15:37:07.616 0.000 6 40.76.80.17:56902 -> x.x..51:22 ...... 1 2016-02-29 15:37:07.925 0.000 6 40.76.80.17:56903 -> x.x..51:22 ...... 1 2016-02-29 15:40:04.546 0.000 6 40.121.53.153:1041 -> x.x.186:22 ...... 1 2016-02-29 15:40:04.866 0.000 6 40.121.53.153:1042 -> x.x.186:22 ...... 1 2016-02-29 15:40:28.870 0.000 6 40.76.70.58:1168 -> x.x.171:22 ...... 1 2016-02-29 15:40:29.125 0.000 6 40.76.70.58:1169 -> x.x.171:22 ...... 1 2016-02-29 15:41:57.034 0.000 6 40.76.55.204:1128 -> x.x.181:22 ...... 1 2016-02-29 15:41:57.354 0.000 6 40.76.55.204:1176 -> x.x.181:22 ...... 1 2016-02-29 16:55:49.183 0.000 6 40.117.96.192:1120 -> x.x.163:22 ...... 1 2016-02-29 16:55:49.183 0.000 6 40.117.96.192:1120 -> x.x.176:22 ...... 1 2016-02-29 16:55:49.183 0.000 6 40.117.96.192:1120 -> x.x.206:22 ...... 1 2016-02-29 16:55:49.183 0.000 6 40.117.96.192:1120 -> x.x.158:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.185:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.251:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.255:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.141:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.136:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.235:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.242:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.240:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.100:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.244:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.217:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x..72:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.221:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.5.4:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.150:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.145:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.119:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x..52:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x..75:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.127:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x..22:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x..77:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.246:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.137:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x..85:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x..35:22 ...... 1
Current thread:
- how to deal with port scan and brute force attack from AS 8075 ? marcel.duregards--- via NANOG (Mar 31)
- Re: how to deal with port scan and brute force attack from AS 8075 ? Robert Kisteleki (Mar 31)
- Re: how to deal with port scan and brute force attack from AS 8075 ? Joe Klein (Mar 31)
- Re: how to deal with port scan and brute force attack from AS 8075 ? Todd Crane (Mar 31)
- Re: how to deal with port scan and brute force attack from AS 8075 ? Todd Crane (Mar 31)
- Message not available
- Re: how to deal with port scan and brute force attack from AS 8075 ? Todd Crane (Mar 31)
- Re: how to deal with port scan and brute force attack from AS 8075 ? Bacon Zombie (Mar 31)
- Re: how to deal with port scan and brute force attack from AS 8075 ? Todd Crane (Mar 31)
- Re: how to deal with port scan and brute force attack from AS 8075 ? marcel.duregards--- via NANOG (Mar 31)
- Re: how to deal with port scan and brute force attack from AS 8075 ? Robert Kisteleki (Mar 31)
- Re: how to deal with port scan and brute force attack from AS 8075 ? alvin nanog (Mar 31)