how to deal with port scan and brute force attack from AS 8075 ?

marcel.duregards at yahoo.fr marcel.duregards at yahoo.fr
Thu Mar 31 08:02:05 UTC 2016


Dear Nanog'er,

We are facing a lot of port scan and brute force attack on port 22 (but
not limited to) from Microsoft AS 8075 range toward our own infra, or
toward our customers.
We have sent email to abuse at microsoft.com, but no answer.

source ip are:
NetRange:       40.74.0.0 - 40.125.127.255
CIDR:           40.74.0.0/15, 40.112.0.0/13, 40.124.0.0/16,
40.76.0.0/14, 40.80.0.0/12, 40.125.0.0/17, 40.96.0.0/12, 40.120.0.0/14
NetName:        MSFT



We consider port scan and brute force on ssh port as an attack, and even
as a pre-DDOS phase (could be use to install botnet, detect unpatched
host, and so one).

It's one thing to propose services and make money over an infra, it's an
other thing to take care that you clients do not use this infra to make
illegal stuffs.


How do you deal with such massive amount of 'illegal' traffic ?

Thank,
Best Regards
Marcel





He are some examples (we have more than 3000 such packets per day just
from them, probably Azure), and source ip is always differents of course:


Flow Filtering Expression
  src AS 8075 and dst port 22 and packets=1
Limit Flows
  40000
Sorting
  By Date

Date_first_seen          Duration Proto     _IP_Addr:Port
Dst_IP_Addr:Port   Flags Packets
2016-02-29 14:55:20.108     0.000 6    104.45.210.69:1160  ->
x.x.231:22    ......      1
2016-02-29 14:55:20.611     0.000 6    104.45.210.69:1161  ->
x.x.231:22    ......      1
2016-02-29 14:56:41.004     0.000 6     40.76.55.204:1090  ->
x.x..14:22    ......      1
2016-02-29 14:56:41.324     0.000 6     40.76.55.204:1091  ->
x.x..14:22    ......      1
2016-02-29 15:00:05.670     0.000 6     40.76.55.204:1088  ->
x.x.125:22    ......      1
2016-02-29 15:00:06.003     0.000 6     40.76.55.204:1089  ->
x.x.125:22    ......      1
2016-02-29 15:01:17.358     0.000 6      40.76.70.58:1168  ->
x.x..80:22    ......      1
2016-02-29 15:01:17.676     0.000 6      40.76.70.58:1169  ->
x.x..80:22    ......      1
2016-02-29 15:02:42.637     0.000 6     40.76.55.204:1176  ->
x.x.193:22    ......      1
2016-02-29 15:02:42.878     0.000 6     40.76.55.204:1177  ->
x.x.193:22    ......      1
2016-02-29 15:02:48.067     0.000 6    104.45.210.69:1160  ->
x.x.173:22    ......      1
2016-02-29 15:02:48.394     0.000 6    104.45.210.69:1161  ->
x.x.173:22    ......      1
2016-02-29 15:03:18.854     0.000 6    40.121.53.153:1041  ->
x.x..88:22    ......      1
2016-02-29 15:03:19.172     0.000 6    40.121.53.153:1042  ->
x.x..88:22    ......      1
2016-02-29 15:06:36.248     0.000 6     40.76.55.204:1056  ->
x.x..45:22    ......      1
2016-02-29 15:07:31.882     0.000 6      40.76.80.17:44895 ->
x.x..75:22    ......      1
2016-02-29 15:07:32.245     0.000 6      40.76.80.17:44896 ->
x.x..75:22    ......      1
2016-02-29 15:09:08.433     0.000 6      40.76.70.58:1168  ->
x.x..31:22    ......      1
2016-02-29 15:09:08.744     0.000 6      40.76.70.58:1169  ->
x.x..31:22    ......      1
2016-02-29 15:11:45.668     0.000 6      40.76.80.17:47993 ->
x.x.157:22    ......      1
2016-02-29 15:11:45.987     0.000 6      40.76.80.17:47994 ->
x.x.157:22    ......      1
2016-02-29 15:12:09.543     0.000 6      40.76.70.58:1168  ->
x.x..24:22    ......      1
2016-02-29 15:12:09.925     0.000 6      40.76.70.58:1169  ->
x.x..24:22    ......      1
2016-02-29 15:17:05.920     0.000 6      40.76.70.58:1168  ->
x.x.243:22    ......      1
2016-02-29 15:17:06.241     0.000 6      40.76.70.58:1169  ->
x.x.243:22    ......      1
2016-02-29 15:19:21.364     0.000 6    40.83.121.211:62936 ->
x.x..81:22    ......      1
2016-02-29 15:19:21.704     0.000 6    40.83.121.211:62937 ->
x.x..81:22    ......      1
2016-02-29 15:19:45.891     0.000 6      40.76.70.58:1168  ->
x.x..39:22    ......      1
2016-02-29 15:19:46.273     0.000 6      40.76.70.58:1169  ->
x.x..39:22    ......      1
2016-02-29 15:21:52.030     0.000 6      40.76.70.58:1168  ->
x.x.120:22    ......      1
2016-02-29 15:21:52.349     0.000 6      40.76.70.58:1169  ->
x.x.120:22    ......      1
2016-02-29 15:24:07.614     0.000 6     40.76.55.204:1048  ->
x.x.237:22    ......      1
2016-02-29 15:24:07.933     0.000 6     40.76.55.204:1128  ->
x.x.237:22    ......      1
2016-02-29 15:27:31.289     0.000 6    40.121.53.153:1041  ->
x.x.133:22    ......      1
2016-02-29 15:27:31.544     0.000 6    40.121.53.153:1042  ->
x.x.133:22    ......      1
2016-02-29 15:27:59.120     0.000 6      40.76.70.58:1168  ->
x.x.9.3:22    ......      1
2016-02-29 15:27:59.440     0.000 6      40.76.70.58:1169  ->
x.x.9.3:22    ......      1
2016-02-29 15:29:30.933     0.000 6      40.76.70.58:1168  ->
x.x.211:22    ......      1
2016-02-29 15:29:31.031     0.000 6      40.76.70.58:1169  ->
x.x.211:22    ......      1
2016-02-29 15:29:33.729     0.000 6     40.76.55.204:1142  ->
x.x.166:22    ......      1
2016-02-29 15:29:34.032     0.000 6     40.76.55.204:1143  ->
x.x.166:22    ......      1
2016-02-29 15:31:41.947     0.000 6      40.76.70.58:1168  ->
x.x.137:22    ......      1
2016-02-29 15:31:42.266     0.000 6      40.76.70.58:1169  ->
x.x.137:22    ......      1
2016-02-29 15:32:10.044     0.000 6    40.121.53.153:1041  ->
x.x..71:22    ......      1
2016-02-29 15:32:10.348     0.000 6    40.121.53.153:1042  ->
x.x..71:22    ......      1
2016-02-29 15:32:10.442     0.000 6    104.45.210.69:1161  ->
x.x.246:22    ......      1
2016-02-29 15:32:10.475     0.000 6    104.45.210.69:1160  ->
x.x.246:22    ......      1
2016-02-29 15:32:29.165     0.000 6   40.121.143.132:1040  ->
x.x..62:22    ......      1
2016-02-29 15:32:29.466     0.000 6   40.121.143.132:1041  ->
x.x..62:22    ......      1
2016-02-29 15:37:07.616     0.000 6      40.76.80.17:56902 ->
x.x..51:22    ......      1
2016-02-29 15:37:07.925     0.000 6      40.76.80.17:56903 ->
x.x..51:22    ......      1
2016-02-29 15:40:04.546     0.000 6    40.121.53.153:1041  ->
x.x.186:22    ......      1
2016-02-29 15:40:04.866     0.000 6    40.121.53.153:1042  ->
x.x.186:22    ......      1
2016-02-29 15:40:28.870     0.000 6      40.76.70.58:1168  ->
x.x.171:22    ......      1
2016-02-29 15:40:29.125     0.000 6      40.76.70.58:1169  ->
x.x.171:22    ......      1
2016-02-29 15:41:57.034     0.000 6     40.76.55.204:1128  ->
x.x.181:22    ......      1
2016-02-29 15:41:57.354     0.000 6     40.76.55.204:1176  ->
x.x.181:22    ......      1


2016-02-29 16:55:49.183     0.000 6    40.117.96.192:1120  ->
x.x.163:22    ......      1
2016-02-29 16:55:49.183     0.000 6    40.117.96.192:1120  ->
x.x.176:22    ......      1
2016-02-29 16:55:49.183     0.000 6    40.117.96.192:1120  ->
x.x.206:22    ......      1
2016-02-29 16:55:49.183     0.000 6    40.117.96.192:1120  ->
x.x.158:22    ......      1
2016-02-29 16:55:49.186     0.000 6    40.117.96.192:1120  ->
x.x.185:22    ......      1
2016-02-29 16:55:49.186     0.000 6    40.117.96.192:1120  ->
x.x.251:22    ......      1
2016-02-29 16:55:49.186     0.000 6    40.117.96.192:1120  ->
x.x.255:22    ......      1
2016-02-29 16:55:49.186     0.000 6    40.117.96.192:1120  ->
x.x.141:22    ......      1
2016-02-29 16:55:49.186     0.000 6    40.117.96.192:1120  ->
x.x.136:22    ......      1
2016-02-29 16:55:49.186     0.000 6    40.117.96.192:1120  ->
x.x.235:22    ......      1
2016-02-29 16:55:49.186     0.000 6    40.117.96.192:1120  ->
x.x.242:22    ......      1
2016-02-29 16:55:49.186     0.000 6    40.117.96.192:1120  ->
x.x.240:22    ......      1
2016-02-29 16:55:49.186     0.000 6    40.117.96.192:1120  ->
x.x.100:22    ......      1
2016-02-29 16:55:49.186     0.000 6    40.117.96.192:1120  ->
x.x.244:22    ......      1
2016-02-29 16:55:49.186     0.000 6    40.117.96.192:1120  ->
x.x.217:22    ......      1
2016-02-29 16:55:49.186     0.000 6    40.117.96.192:1120  ->
x.x..72:22    ......      1
2016-02-29 16:55:49.187     0.000 6    40.117.96.192:1120  ->
x.x.221:22    ......      1
2016-02-29 16:55:49.187     0.000 6    40.117.96.192:1120  ->
x.x.5.4:22    ......      1
2016-02-29 16:55:49.187     0.000 6    40.117.96.192:1120  ->
x.x.150:22    ......      1
2016-02-29 16:55:49.187     0.000 6    40.117.96.192:1120  ->
x.x.145:22    ......      1
2016-02-29 16:55:49.187     0.000 6    40.117.96.192:1120  ->
x.x.119:22    ......      1
2016-02-29 16:55:49.187     0.000 6    40.117.96.192:1120  ->
x.x..52:22    ......      1
2016-02-29 16:55:49.187     0.000 6    40.117.96.192:1120  ->
x.x..75:22    ......      1
2016-02-29 16:55:49.187     0.000 6    40.117.96.192:1120  ->
x.x.127:22    ......      1
2016-02-29 16:55:49.187     0.000 6    40.117.96.192:1120  ->
x.x..22:22    ......      1
2016-02-29 16:55:49.187     0.000 6    40.117.96.192:1120  ->
x.x..77:22    ......      1
2016-02-29 16:55:49.187     0.000 6    40.117.96.192:1120  ->
x.x.246:22    ......      1
2016-02-29 16:55:49.187     0.000 6    40.117.96.192:1120  ->
x.x.137:22    ......      1
2016-02-29 16:55:49.187     0.000 6    40.117.96.192:1120  ->
x.x..85:22    ......      1
2016-02-29 16:55:49.187     0.000 6    40.117.96.192:1120  ->
x.x..35:22    ......      1







More information about the NANOG mailing list