Port 2323/tcp
Otto Monnig
omonnig at gmail.com
Wed Nov 16 18:12:50 UTC 2016
We’ve been monitoring/logging/blocking ports 23 and 2323 at our site for the past several weeks, after remediating a 60-75 Mbps attack on a 100 Mbps fiber feed.
On port 23, we have accumulated 377,319 different IP addresses hitting our systems. For port 2323, 42,913 different IP addresses.
The addresses are widely distributed, making aggregation nearly impossible.
Below is a list of offending subnets, ranked by number of offenders (powers of 2), sorry for the length.
14.0.0.0/8 16384
78.0.0.0/8 8192
113.0.0.0/8 8192
117.0.0.0/8 8192
122.0.0.0/8 8192
177.0.0.0/8 8192
179.0.0.0/8 8192
186.0.0.0/8 8192
187.0.0.0/8 8192
189.0.0.0/8 8192
190.0.0.0/8 8192
201.0.0.0/8 8192
1.0.0.0/8 4096
5.0.0.0/8 4096
27.0.0.0/8 4096
36.0.0.0/8 4096
37.0.0.0/8 4096
41.0.0.0/8 4096
42.0.0.0/8 4096
46.0.0.0/8 4096
49.0.0.0/8 4096
59.0.0.0/8 4096
79.0.0.0/8 4096
82.0.0.0/8 4096
88.0.0.0/8 4096
89.0.0.0/8 4096
95.0.0.0/8 4096
109.0.0.0/8 4096
110.0.0.0/8 4096
112.0.0.0/8 4096
114.0.0.0/8 4096
116.0.0.0/8 4096
118.0.0.0/8 4096
119.0.0.0/8 4096
121.0.0.0/8 4096
123.0.0.0/8 4096
124.0.0.0/8 4096
171.0.0.0/8 4096
175.0.0.0/8 4096
176.0.0.0/8 4096
178.0.0.0/8 4096
180.0.0.0/8 4096
181.0.0.0/8 4096
182.0.0.0/8 4096
183.0.0.0/8 4096
191.0.0.0/8 4096
200.0.0.0/8 4096
220.0.0.0/8 4096
31.0.0.0/8 2048
58.0.0.0/8 2048
60.0.0.0/8 2048
61.0.0.0/8 2048
77.0.0.0/8 2048
80.0.0.0/8 2048
81.0.0.0/8 2048
83.0.0.0/8 2048
85.0.0.0/8 2048
86.0.0.0/8 2048
87.0.0.0/8 2048
91.0.0.0/8 2048
92.0.0.0/8 2048
93.0.0.0/8 2048
94.0.0.0/8 2048
103.0.0.0/8 2048
111.0.0.0/8 2048
115.0.0.0/8 2048
120.0.0.0/8 2048
125.0.0.0/8 2048
151.0.0.0/8 2048
188.0.0.0/8 2048
213.0.0.0/8 2048
218.0.0.0/8 2048
222.0.0.0/8 2048
223.0.0.0/8 2048
3.0.0.0/8 1024
6.0.0.0/8 1024
7.0.0.0/8 1024
9.0.0.0/8 1024
11.0.0.0/8 1024
15.0.0.0/8 1024
16.0.0.0/8 1024
17.0.0.0/8 1024
19.0.0.0/8 1024
20.0.0.0/8 1024
21.0.0.0/8 1024
22.0.0.0/8 1024
24.0.0.0/8 1024
25.0.0.0/8 1024
26.0.0.0/8 1024
28.0.0.0/8 1024
29.0.0.0/8 1024
30.0.0.0/8 1024
33.0.0.0/8 1024
34.0.0.0/8 1024
39.0.0.0/8 1024
44.0.0.0/8 1024
48.0.0.0/8 1024
53.0.0.0/8 1024
55.0.0.0/8 1024
56.0.0.0/8 1024
57.0.0.0/8 1024
62.0.0.0/8 1024
84.0.0.0/8 1024
101.0.0.0/8 1024
102.0.0.0/8 1024
106.0.0.0/8 1024
185.0.0.0/8 1024
193.0.0.0/8 1024
194.0.0.0/8 1024
195.0.0.0/8 1024
197.0.0.0/8 1024
202.0.0.0/8 1024
203.0.0.0/8 1024
210.0.0.0/8 1024
211.0.0.0/8 1024
212.0.0.0/8 1024
214.0.0.0/8 1024
215.0.0.0/8 1024
217.0.0.0/8 1024
219.0.0.0/8 1024
221.0.0.0/8 1024
2.0.0.0/8 512
43.0.0.0/8 512
45.0.0.0/8 512
47.0.0.0/8 512
50.0.0.0/8 512
70.0.0.0/8 512
71.0.0.0/8 512
72.0.0.0/8 512
73.0.0.0/8 512
90.0.0.0/8 512
96.0.0.0/8 512
105.0.0.0/8 512
108.0.0.0/8 512
134.0.0.0/8 512
138.0.0.0/8 512
139.0.0.0/8 512
152.0.0.0/8 512
167.0.0.0/8 512
173.0.0.0/8 512
64.0.0.0/8 256
66.0.0.0/8 256
67.0.0.0/8 256
68.0.0.0/8 256
69.0.0.0/8 256
74.0.0.0/8 256
75.0.0.0/8 256
76.0.0.0/8 256
98.0.0.0/8 256
104.0.0.0/8 256
150.0.0.0/8 256
159.0.0.0/8 256
168.0.0.0/8 256
174.0.0.0/8 256
192.0.0.0/8 256
196.0.0.0/8 256
216.0.0.0/8 256
23.0.0.0/8 128
65.0.0.0/8 128
97.0.0.0/8 128
100.0.0.0/8 128
107.0.0.0/8 128
128.0.0.0/8 128
130.0.0.0/8 128
131.0.0.0/8 128
140.0.0.0/8 128
141.0.0.0/8 128
149.0.0.0/8 128
153.0.0.0/8 128
154.0.0.0/8 128
160.0.0.0/8 128
161.0.0.0/8 128
162.0.0.0/8 128
163.0.0.0/8 128
170.0.0.0/8 128
172.0.0.0/8 128
184.0.0.0/8 128
198.0.0.0/8 128
207.0.0.0/8 128
208.0.0.0/8 128
209.0.0.0/8 128
4.0.0.0/8 64
8.0.0.0/8 64
12.0.0.0/8 64
13.0.0.0/8 64
18.0.0.0/8 64
32.0.0.0/8 64
35.0.0.0/8 64
38.0.0.0/8 64
40.0.0.0/8 64
51.0.0.0/8 64
52.0.0.0/8 64
54.0.0.0/8 64
63.0.0.0/8 64
99.0.0.0/8 64
10122.0.0.0/8 64
11122.0.0.0/8 64
114122.0.0.0/8 64
126.0.0.0/8 64
129.0.0.0/8 64
132.0.0.0/8 64
133.0.0.0/8 64
135.0.0.0/8 64
136.0.0.0/8 64
137.0.0.0/8 64
142.0.0.0/8 64
143.0.0.0/8 64
144.0.0.0/8 64
145.0.0.0/8 64
146.0.0.0/8 64
147.0.0.0/8 64
148.0.0.0/8 64
155.0.0.0/8 64
156.0.0.0/8 64
157.0.0.0/8 64
158.0.0.0/8 64
164.0.0.0/8 64
165.0.0.0/8 64
166.0.0.0/8 64
169.0.0.0/8 64
199.0.0.0/8 64
204.0.0.0/8 64
205.0.0.0/8 64
206.0.0.0/8 64
Total
375232
--
Otto Monnig
omonnig at gmail.com
> On Nov 16, 2016, at 10:52 AM, Stephen Satchell <list at satchell.net> wrote:
>
> I've been seeing a lot of rejections in my logs for 2323/tcp. According
> to the Storm Center, this is what the Mirai botnet scanner uses to look
> for other target devices.
>
> Is it worthwhile to report sightings to the appropriate abuse addresses?
> (That assumes there *is* an abuse address associated with the IPv4
> address that is the source.) Would administrations receiving these
> notices do anything with them?
>
> Alternatively, is there anyone collecting this information from people
> like me to expose the IP addresses of possible infections?
>
> I am toying with the idea of setting up a honey-pot, but I'm so far
> behind with $DAYJOB that such a project will have to wait a bit.
>
> I want to be a good net citizen. I also want to make sure I'm not
> wasting my time.
>
> Today's crop:
>
>> 1.34.169.183
>> 12.221.236.2
>> 14.138.22.12
>> 14.169.142.30
>> 14.174.71.158
>> 14.177.197.101
>> 31.168.146.33
>> 31.168.212.174
>> 36.71.224.179
>> 36.72.253.206
>> 37.106.18.86
>> 42.115.187.189
>> 42.117.254.248
>> 42.119.228.222
>> 43.225.195.180
>> 46.59.6.249
>> 49.114.192.91
>> 58.11.238.146
>> 58.186.231.59
>> 59.8.136.21
>> 59.49.191.4
>> 59.57.68.56
>> 59.126.35.47
>> 59.126.242.70
>> 59.127.104.67
>> 59.127.242.8
>> 60.251.125.125
>> 61.219.165.38
>> 73.84.152.194
>> 78.179.113.148
>> 78.186.61.30
>> 78.189.169.142
>> 78.226.222.234
>> 79.119.74.255
>> 81.16.8.193
>> 81.101.233.14
>> 81.214.121.43
>> 81.214.134.133
>> 81.214.137.197
>> 82.77.68.189
>> 83.233.40.141
>> 85.96.202.199
>> 85.99.121.41
>> 85.238.103.111
>> 86.121.225.48
>> 87.251.252.22
>> 88.249.224.167
>> 89.122.87.239
>> 89.151.128.198
>> 90.177.91.201
>> 92.53.52.235
>> 92.55.231.90
>> 94.31.239.178
>> 94.254.41.152
>> 94.255.162.90
>> 95.78.245.54
>> 95.106.34.92
>> 95.161.236.182
>> 96.57.103.19
>> 101.0.43.13
>> 108.203.68.245
>> 110.55.108.215
>> 110.136.233.10
>> 112.133.69.176
>> 112.165.93.130
>> 112.186.42.216
>> 113.5.224.110
>> 113.161.64.11
>> 113.169.18.153
>> 113.171.98.158
>> 113.172.4.204
>> 113.183.204.112
>> 113.188.44.246
>> 114.32.28.219
>> 114.32.87.32
>> 114.32.189.5
>> 114.34.29.167
>> 114.34.170.10
>> 114.35.153.123
>> 114.226.53.133
>> 115.76.127.118
>> 116.73.65.248
>> 116.100.170.92
>> 117.0.7.77
>> 117.1.26.234
>> 117.195.254.3
>> 118.32.44.99
>> 118.42.15.21
>> 118.43.112.120
>> 118.100.64.159
>> 118.163.191.208
>> 119.199.160.207
>> 119.202.78.47
>> 120.71.215.81
>> 121.129.203.22
>> 121.178.104.129
>> 121.180.53.143
>> 122.117.245.28
>> 123.9.72.86
>> 123.16.78.77
>> 123.23.49.149
>> 123.24.108.10
>> 123.24.250.187
>> 123.25.74.209
>> 123.27.159.13
>> 123.240.245.72
>> 124.66.99.251
>> 124.131.28.38
>> 125.166.193.206
>> 125.227.138.132
>> 138.204.203.66
>> 171.97.245.221
>> 171.224.7.147
>> 171.226.20.220
>> 171.232.118.93
>> 171.248.210.120
>> 171.249.223.213
>> 171.250.26.209
>> 173.56.21.67
>> 175.138.81.130
>> 175.203.202.232
>> 175.207.137.139
>> 175.211.251.156
>> 177.207.49.108
>> 177.207.67.170
>> 177.223.52.193
>> 178.222.246.96
>> 179.4.140.63
>> 179.235.55.39
>> 179.253.163.107
>> 180.73.117.62
>> 180.254.224.10
>> 182.37.156.98
>> 182.180.80.75
>> 182.180.123.43
>> 183.46.49.216
>> 183.144.245.235
>> 186.19.48.158
>> 186.69.170.130
>> 186.219.1.156
>> 187.104.248.17
>> 187.211.63.51
>> 188.209.153.15
>> 189.101.220.244
>> 189.234.9.147
>> 191.103.35.250
>> 191.180.198.31
>> 191.249.21.41
>> 196.207.83.23
>> 197.224.37.108
>> 201.243.225.103
>> 210.178.250.121
>> 211.7.146.51
>> 211.216.202.191
>> 213.5.216.213
>> 213.14.195.100
>> 213.170.76.149
>> 217.129.243.48
>> 218.161.121.178
>> 218.186.43.224
>> 220.85.169.133
>> 220.132.111.124
>> 220.133.24.142
>> 220.133.198.71
>> 220.133.234.229
>> 220.134.132.200
>> 220.134.193.133
>> 220.135.64.43
>> 221.145.147.78
>> 221.159.105.17
>> 221.167.64.53
>> 222.254.238.188
>> 223.154.223.159
>
More information about the NANOG
mailing list