Port 2323/tcp
Chris Knipe
savage at savage.za.org
Wed Nov 16 18:19:42 UTC 2016
We have actively started to block 23/tcp to our customer's CPEs....
Huge amounts of connection attempts / scans over our prefixes. All IPv4,
zero on IPv6 (not yet at least).
On Wed, Nov 16, 2016 at 8:12 PM, Otto Monnig <omonnig at gmail.com> wrote:
> We’ve been monitoring/logging/blocking ports 23 and 2323 at our site for
> the past several weeks, after remediating a 60-75 Mbps attack on a 100 Mbps
> fiber feed.
>
> On port 23, we have accumulated 377,319 different IP addresses hitting our
> systems. For port 2323, 42,913 different IP addresses.
>
> The addresses are widely distributed, making aggregation nearly impossible.
>
> Below is a list of offending subnets, ranked by number of offenders
> (powers of 2), sorry for the length.
>
> 14.0.0.0/8 16384
> 78.0.0.0/8 8192
> 113.0.0.0/8 8192
> 117.0.0.0/8 8192
> 122.0.0.0/8 8192
> 177.0.0.0/8 8192
> 179.0.0.0/8 8192
> 186.0.0.0/8 8192
> 187.0.0.0/8 8192
> 189.0.0.0/8 8192
> 190.0.0.0/8 8192
> 201.0.0.0/8 8192
> 1.0.0.0/8 4096
> 5.0.0.0/8 4096
> 27.0.0.0/8 4096
> 36.0.0.0/8 4096
> 37.0.0.0/8 4096
> 41.0.0.0/8 4096
> 42.0.0.0/8 4096
> 46.0.0.0/8 4096
> 49.0.0.0/8 4096
> 59.0.0.0/8 4096
> 79.0.0.0/8 4096
> 82.0.0.0/8 4096
> 88.0.0.0/8 4096
> 89.0.0.0/8 4096
> 95.0.0.0/8 4096
> 109.0.0.0/8 4096
> 110.0.0.0/8 4096
> 112.0.0.0/8 4096
> 114.0.0.0/8 4096
> 116.0.0.0/8 4096
> 118.0.0.0/8 4096
> 119.0.0.0/8 4096
> 121.0.0.0/8 4096
> 123.0.0.0/8 4096
> 124.0.0.0/8 4096
> 171.0.0.0/8 4096
> 175.0.0.0/8 4096
> 176.0.0.0/8 4096
> 178.0.0.0/8 4096
> 180.0.0.0/8 4096
> 181.0.0.0/8 4096
> 182.0.0.0/8 4096
> 183.0.0.0/8 4096
> 191.0.0.0/8 4096
> 200.0.0.0/8 4096
> 220.0.0.0/8 4096
> 31.0.0.0/8 2048
> 58.0.0.0/8 2048
> 60.0.0.0/8 2048
> 61.0.0.0/8 2048
> 77.0.0.0/8 2048
> 80.0.0.0/8 2048
> 81.0.0.0/8 2048
> 83.0.0.0/8 2048
> 85.0.0.0/8 2048
> 86.0.0.0/8 2048
> 87.0.0.0/8 2048
> 91.0.0.0/8 2048
> 92.0.0.0/8 2048
> 93.0.0.0/8 2048
> 94.0.0.0/8 2048
> 103.0.0.0/8 2048
> 111.0.0.0/8 2048
> 115.0.0.0/8 2048
> 120.0.0.0/8 2048
> 125.0.0.0/8 2048
> 151.0.0.0/8 2048
> 188.0.0.0/8 2048
> 213.0.0.0/8 2048
> 218.0.0.0/8 2048
> 222.0.0.0/8 2048
> 223.0.0.0/8 2048
> 3.0.0.0/8 1024
> 6.0.0.0/8 1024
> 7.0.0.0/8 1024
> 9.0.0.0/8 1024
> 11.0.0.0/8 1024
> 15.0.0.0/8 1024
> 16.0.0.0/8 1024
> 17.0.0.0/8 1024
> 19.0.0.0/8 1024
> 20.0.0.0/8 1024
> 21.0.0.0/8 1024
> 22.0.0.0/8 1024
> 24.0.0.0/8 1024
> 25.0.0.0/8 1024
> 26.0.0.0/8 1024
> 28.0.0.0/8 1024
> 29.0.0.0/8 1024
> 30.0.0.0/8 1024
> 33.0.0.0/8 1024
> 34.0.0.0/8 1024
> 39.0.0.0/8 1024
> 44.0.0.0/8 1024
> 48.0.0.0/8 1024
> 53.0.0.0/8 1024
> 55.0.0.0/8 1024
> 56.0.0.0/8 1024
> 57.0.0.0/8 1024
> 62.0.0.0/8 1024
> 84.0.0.0/8 1024
> 101.0.0.0/8 1024
> 102.0.0.0/8 1024
> 106.0.0.0/8 1024
> 185.0.0.0/8 1024
> 193.0.0.0/8 1024
> 194.0.0.0/8 1024
> 195.0.0.0/8 1024
> 197.0.0.0/8 1024
> 202.0.0.0/8 1024
> 203.0.0.0/8 1024
> 210.0.0.0/8 1024
> 211.0.0.0/8 1024
> 212.0.0.0/8 1024
> 214.0.0.0/8 1024
> 215.0.0.0/8 1024
> 217.0.0.0/8 1024
> 219.0.0.0/8 1024
> 221.0.0.0/8 1024
> 2.0.0.0/8 512
> 43.0.0.0/8 512
> 45.0.0.0/8 512
> 47.0.0.0/8 512
> 50.0.0.0/8 512
> 70.0.0.0/8 512
> 71.0.0.0/8 512
> 72.0.0.0/8 512
> 73.0.0.0/8 512
> 90.0.0.0/8 512
> 96.0.0.0/8 512
> 105.0.0.0/8 512
> 108.0.0.0/8 512
> 134.0.0.0/8 512
> 138.0.0.0/8 512
> 139.0.0.0/8 512
> 152.0.0.0/8 512
> 167.0.0.0/8 512
> 173.0.0.0/8 512
> 64.0.0.0/8 256
> 66.0.0.0/8 256
> 67.0.0.0/8 256
> 68.0.0.0/8 256
> 69.0.0.0/8 256
> 74.0.0.0/8 256
> 75.0.0.0/8 256
> 76.0.0.0/8 256
> 98.0.0.0/8 256
> 104.0.0.0/8 256
> 150.0.0.0/8 256
> 159.0.0.0/8 256
> 168.0.0.0/8 256
> 174.0.0.0/8 256
> 192.0.0.0/8 256
> 196.0.0.0/8 256
> 216.0.0.0/8 256
> 23.0.0.0/8 128
> 65.0.0.0/8 128
> 97.0.0.0/8 128
> 100.0.0.0/8 128
> 107.0.0.0/8 128
> 128.0.0.0/8 128
> 130.0.0.0/8 128
> 131.0.0.0/8 128
> 140.0.0.0/8 128
> 141.0.0.0/8 128
> 149.0.0.0/8 128
> 153.0.0.0/8 128
> 154.0.0.0/8 128
> 160.0.0.0/8 128
> 161.0.0.0/8 128
> 162.0.0.0/8 128
> 163.0.0.0/8 128
> 170.0.0.0/8 128
> 172.0.0.0/8 128
> 184.0.0.0/8 128
> 198.0.0.0/8 128
> 207.0.0.0/8 128
> 208.0.0.0/8 128
> 209.0.0.0/8 128
> 4.0.0.0/8 64
> 8.0.0.0/8 64
> 12.0.0.0/8 64
> 13.0.0.0/8 64
> 18.0.0.0/8 64
> 32.0.0.0/8 64
> 35.0.0.0/8 64
> 38.0.0.0/8 64
> 40.0.0.0/8 64
> 51.0.0.0/8 64
> 52.0.0.0/8 64
> 54.0.0.0/8 64
> 63.0.0.0/8 64
> 99.0.0.0/8 64
> 10122.0.0.0/8 64
> 11122.0.0.0/8 64
> 114122.0.0.0/8 64
> 126.0.0.0/8 64
> 129.0.0.0/8 64
> 132.0.0.0/8 64
> 133.0.0.0/8 64
> 135.0.0.0/8 64
> 136.0.0.0/8 64
> 137.0.0.0/8 64
> 142.0.0.0/8 64
> 143.0.0.0/8 64
> 144.0.0.0/8 64
> 145.0.0.0/8 64
> 146.0.0.0/8 64
> 147.0.0.0/8 64
> 148.0.0.0/8 64
> 155.0.0.0/8 64
> 156.0.0.0/8 64
> 157.0.0.0/8 64
> 158.0.0.0/8 64
> 164.0.0.0/8 64
> 165.0.0.0/8 64
> 166.0.0.0/8 64
> 169.0.0.0/8 64
> 199.0.0.0/8 64
> 204.0.0.0/8 64
> 205.0.0.0/8 64
> 206.0.0.0/8 64
>
> Total
> 375232
>
> --
> Otto Monnig
> omonnig at gmail.com
>
>
>
> > On Nov 16, 2016, at 10:52 AM, Stephen Satchell <list at satchell.net>
> wrote:
> >
> > I've been seeing a lot of rejections in my logs for 2323/tcp. According
> > to the Storm Center, this is what the Mirai botnet scanner uses to look
> > for other target devices.
> >
> > Is it worthwhile to report sightings to the appropriate abuse addresses?
> > (That assumes there *is* an abuse address associated with the IPv4
> > address that is the source.) Would administrations receiving these
> > notices do anything with them?
> >
> > Alternatively, is there anyone collecting this information from people
> > like me to expose the IP addresses of possible infections?
> >
> > I am toying with the idea of setting up a honey-pot, but I'm so far
> > behind with $DAYJOB that such a project will have to wait a bit.
> >
> > I want to be a good net citizen. I also want to make sure I'm not
> > wasting my time.
> >
> > Today's crop:
> >
> >> 1.34.169.183
> >> 12.221.236.2
> >> 14.138.22.12
> >> 14.169.142.30
> >> 14.174.71.158
> >> 14.177.197.101
> >> 31.168.146.33
> >> 31.168.212.174
> >> 36.71.224.179
> >> 36.72.253.206
> >> 37.106.18.86
> >> 42.115.187.189
> >> 42.117.254.248
> >> 42.119.228.222
> >> 43.225.195.180
> >> 46.59.6.249
> >> 49.114.192.91
> >> 58.11.238.146
> >> 58.186.231.59
> >> 59.8.136.21
> >> 59.49.191.4
> >> 59.57.68.56
> >> 59.126.35.47
> >> 59.126.242.70
> >> 59.127.104.67
> >> 59.127.242.8
> >> 60.251.125.125
> >> 61.219.165.38
> >> 73.84.152.194
> >> 78.179.113.148
> >> 78.186.61.30
> >> 78.189.169.142
> >> 78.226.222.234
> >> 79.119.74.255
> >> 81.16.8.193
> >> 81.101.233.14
> >> 81.214.121.43
> >> 81.214.134.133
> >> 81.214.137.197
> >> 82.77.68.189
> >> 83.233.40.141
> >> 85.96.202.199
> >> 85.99.121.41
> >> 85.238.103.111
> >> 86.121.225.48
> >> 87.251.252.22
> >> 88.249.224.167
> >> 89.122.87.239
> >> 89.151.128.198
> >> 90.177.91.201
> >> 92.53.52.235
> >> 92.55.231.90
> >> 94.31.239.178
> >> 94.254.41.152
> >> 94.255.162.90
> >> 95.78.245.54
> >> 95.106.34.92
> >> 95.161.236.182
> >> 96.57.103.19
> >> 101.0.43.13
> >> 108.203.68.245
> >> 110.55.108.215
> >> 110.136.233.10
> >> 112.133.69.176
> >> 112.165.93.130
> >> 112.186.42.216
> >> 113.5.224.110
> >> 113.161.64.11
> >> 113.169.18.153
> >> 113.171.98.158
> >> 113.172.4.204
> >> 113.183.204.112
> >> 113.188.44.246
> >> 114.32.28.219
> >> 114.32.87.32
> >> 114.32.189.5
> >> 114.34.29.167
> >> 114.34.170.10
> >> 114.35.153.123
> >> 114.226.53.133
> >> 115.76.127.118
> >> 116.73.65.248
> >> 116.100.170.92
> >> 117.0.7.77
> >> 117.1.26.234
> >> 117.195.254.3
> >> 118.32.44.99
> >> 118.42.15.21
> >> 118.43.112.120
> >> 118.100.64.159
> >> 118.163.191.208
> >> 119.199.160.207
> >> 119.202.78.47
> >> 120.71.215.81
> >> 121.129.203.22
> >> 121.178.104.129
> >> 121.180.53.143
> >> 122.117.245.28
> >> 123.9.72.86
> >> 123.16.78.77
> >> 123.23.49.149
> >> 123.24.108.10
> >> 123.24.250.187
> >> 123.25.74.209
> >> 123.27.159.13
> >> 123.240.245.72
> >> 124.66.99.251
> >> 124.131.28.38
> >> 125.166.193.206
> >> 125.227.138.132
> >> 138.204.203.66
> >> 171.97.245.221
> >> 171.224.7.147
> >> 171.226.20.220
> >> 171.232.118.93
> >> 171.248.210.120
> >> 171.249.223.213
> >> 171.250.26.209
> >> 173.56.21.67
> >> 175.138.81.130
> >> 175.203.202.232
> >> 175.207.137.139
> >> 175.211.251.156
> >> 177.207.49.108
> >> 177.207.67.170
> >> 177.223.52.193
> >> 178.222.246.96
> >> 179.4.140.63
> >> 179.235.55.39
> >> 179.253.163.107
> >> 180.73.117.62
> >> 180.254.224.10
> >> 182.37.156.98
> >> 182.180.80.75
> >> 182.180.123.43
> >> 183.46.49.216
> >> 183.144.245.235
> >> 186.19.48.158
> >> 186.69.170.130
> >> 186.219.1.156
> >> 187.104.248.17
> >> 187.211.63.51
> >> 188.209.153.15
> >> 189.101.220.244
> >> 189.234.9.147
> >> 191.103.35.250
> >> 191.180.198.31
> >> 191.249.21.41
> >> 196.207.83.23
> >> 197.224.37.108
> >> 201.243.225.103
> >> 210.178.250.121
> >> 211.7.146.51
> >> 211.216.202.191
> >> 213.5.216.213
> >> 213.14.195.100
> >> 213.170.76.149
> >> 217.129.243.48
> >> 218.161.121.178
> >> 218.186.43.224
> >> 220.85.169.133
> >> 220.132.111.124
> >> 220.133.24.142
> >> 220.133.198.71
> >> 220.133.234.229
> >> 220.134.132.200
> >> 220.134.193.133
> >> 220.135.64.43
> >> 221.145.147.78
> >> 221.159.105.17
> >> 221.167.64.53
> >> 222.254.238.188
> >> 223.154.223.159
> >
>
>
--
Regards,
Chris Knipe
More information about the NANOG
mailing list