how to deal with port scan and brute force attack from AS 8075 ?
Bacon Zombie
baconzombie at gmail.com
Thu Mar 31 09:36:51 UTC 2016
I would ignore the portscans since there is nothing wrong with portscanning
the Internet.
Install fail2ban {don't forgot to whitelist your management static IPs}.
You may want to increase the default bantime and findtime {how far back to
search logs}.
On 31 Mar 2016 11:06, "Todd Crane" <todd.crane at n5tech.com> wrote:
> I must have missed that… my bad.
>
>
> > On Mar 31, 2016, at 2:01 AM, Dan Hollis <goemon at sasami.anime.net> wrote:
> >
> > It's right there in his email:
> >
> > "We have sent email to abuse at microsoft.com, but no answer."
> >
> > -Dan
> >
> > On Thu, 31 Mar 2016, Todd Crane wrote:
> >
> >> Oh and,
> >>
> >> I’m assuming you contacted Microsoft’s abuse? If not, it’s not cool,
> not to mention unprofessional, to publicly call them out on such a public
> forum without giving them an opportunity to correct it first.
> >>
> >>> On Mar 31, 2016, at 1:15 AM, Todd Crane <todd.crane at n5tech.com> wrote:
> >>>
> >>> Marcel
> >>>
> >>> Depending on what is on those machines, I would just recommend using
> fail2ban. The default is that if an ip address fails ssh auth 3 times in 5
> minutes, their ip gets blocked via iptables for 5 minutes. This is enough
> to thwart most scripted attacks, especially those from a certain government
> in Asia. This is configurable to various applications, timing schemes, and
> blocking/jailing mechanisms.
> >>>
> >>> -Todd
> >>>> On Mar 31, 2016, at 1:02 AM, marcel.duregards--- via NANOG <
> nanog at nanog.org> wrote:
> >>>>
> >>>> Dear Nanog'er,
> >>>>
> >>>> We are facing a lot of port scan and brute force attack on port 22
> (but
> >>>> not limited to) from Microsoft AS 8075 range toward our own infra, or
> >>>> toward our customers.
> >>>> We have sent email to abuse at microsoft.com, but no answer.
> >>>>
> >>>> source ip are:
> >>>> NetRange: 40.74.0.0 - 40.125.127.255
> >>>> CIDR: 40.74.0.0/15, 40.112.0.0/13, 40.124.0.0/16,
> >>>> 40.76.0.0/14, 40.80.0.0/12, 40.125.0.0/17, 40.96.0.0/12,
> 40.120.0.0/14
> >>>> NetName: MSFT
> >>>>
> >>>>
> >>>>
> >>>> We consider port scan and brute force on ssh port as an attack, and
> even
> >>>> as a pre-DDOS phase (could be use to install botnet, detect unpatched
> >>>> host, and so one).
> >>>>
> >>>> It's one thing to propose services and make money over an infra, it's
> an
> >>>> other thing to take care that you clients do not use this infra to
> make
> >>>> illegal stuffs.
> >>>>
> >>>>
> >>>> How do you deal with such massive amount of 'illegal' traffic ?
> >>>>
> >>>> Thank,
> >>>> Best Regards
> >>>> Marcel
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> He are some examples (we have more than 3000 such packets per day just
> >>>> from them, probably Azure), and source ip is always differents of
> course:
> >>>>
> >>>>
> >>>> Flow Filtering Expression
> >>>> src AS 8075 and dst port 22 and packets=1
> >>>> Limit Flows
> >>>> 40000
> >>>> Sorting
> >>>> By Date
> >>>>
> >>>> Date_first_seen Duration Proto _IP_Addr:Port
> >>>> Dst_IP_Addr:Port Flags Packets
> >>>> 2016-02-29 14:55:20.108 0.000 6 104.45.210.69:1160 ->
> >>>> x.x.231:22 ...... 1
> >>>> 2016-02-29 14:55:20.611 0.000 6 104.45.210.69:1161 ->
> >>>> x.x.231:22 ...... 1
> >>>> 2016-02-29 14:56:41.004 0.000 6 40.76.55.204:1090 ->
> >>>> x.x..14:22 ...... 1
> >>>> 2016-02-29 14:56:41.324 0.000 6 40.76.55.204:1091 ->
> >>>> x.x..14:22 ...... 1
> >>>> 2016-02-29 15:00:05.670 0.000 6 40.76.55.204:1088 ->
> >>>> x.x.125:22 ...... 1
> >>>> 2016-02-29 15:00:06.003 0.000 6 40.76.55.204:1089 ->
> >>>> x.x.125:22 ...... 1
> >>>> 2016-02-29 15:01:17.358 0.000 6 40.76.70.58:1168 ->
> >>>> x.x..80:22 ...... 1
> >>>> 2016-02-29 15:01:17.676 0.000 6 40.76.70.58:1169 ->
> >>>> x.x..80:22 ...... 1
> >>>> 2016-02-29 15:02:42.637 0.000 6 40.76.55.204:1176 ->
> >>>> x.x.193:22 ...... 1
> >>>> 2016-02-29 15:02:42.878 0.000 6 40.76.55.204:1177 ->
> >>>> x.x.193:22 ...... 1
> >>>> 2016-02-29 15:02:48.067 0.000 6 104.45.210.69:1160 ->
> >>>> x.x.173:22 ...... 1
> >>>> 2016-02-29 15:02:48.394 0.000 6 104.45.210.69:1161 ->
> >>>> x.x.173:22 ...... 1
> >>>> 2016-02-29 15:03:18.854 0.000 6 40.121.53.153:1041 ->
> >>>> x.x..88:22 ...... 1
> >>>> 2016-02-29 15:03:19.172 0.000 6 40.121.53.153:1042 ->
> >>>> x.x..88:22 ...... 1
> >>>> 2016-02-29 15:06:36.248 0.000 6 40.76.55.204:1056 ->
> >>>> x.x..45:22 ...... 1
> >>>> 2016-02-29 15:07:31.882 0.000 6 40.76.80.17:44895 ->
> >>>> x.x..75:22 ...... 1
> >>>> 2016-02-29 15:07:32.245 0.000 6 40.76.80.17:44896 ->
> >>>> x.x..75:22 ...... 1
> >>>> 2016-02-29 15:09:08.433 0.000 6 40.76.70.58:1168 ->
> >>>> x.x..31:22 ...... 1
> >>>> 2016-02-29 15:09:08.744 0.000 6 40.76.70.58:1169 ->
> >>>> x.x..31:22 ...... 1
> >>>> 2016-02-29 15:11:45.668 0.000 6 40.76.80.17:47993 ->
> >>>> x.x.157:22 ...... 1
> >>>> 2016-02-29 15:11:45.987 0.000 6 40.76.80.17:47994 ->
> >>>> x.x.157:22 ...... 1
> >>>> 2016-02-29 15:12:09.543 0.000 6 40.76.70.58:1168 ->
> >>>> x.x..24:22 ...... 1
> >>>> 2016-02-29 15:12:09.925 0.000 6 40.76.70.58:1169 ->
> >>>> x.x..24:22 ...... 1
> >>>> 2016-02-29 15:17:05.920 0.000 6 40.76.70.58:1168 ->
> >>>> x.x.243:22 ...... 1
> >>>> 2016-02-29 15:17:06.241 0.000 6 40.76.70.58:1169 ->
> >>>> x.x.243:22 ...... 1
> >>>> 2016-02-29 15:19:21.364 0.000 6 40.83.121.211:62936 ->
> >>>> x.x..81:22 ...... 1
> >>>> 2016-02-29 15:19:21.704 0.000 6 40.83.121.211:62937 ->
> >>>> x.x..81:22 ...... 1
> >>>> 2016-02-29 15:19:45.891 0.000 6 40.76.70.58:1168 ->
> >>>> x.x..39:22 ...... 1
> >>>> 2016-02-29 15:19:46.273 0.000 6 40.76.70.58:1169 ->
> >>>> x.x..39:22 ...... 1
> >>>> 2016-02-29 15:21:52.030 0.000 6 40.76.70.58:1168 ->
> >>>> x.x.120:22 ...... 1
> >>>> 2016-02-29 15:21:52.349 0.000 6 40.76.70.58:1169 ->
> >>>> x.x.120:22 ...... 1
> >>>> 2016-02-29 15:24:07.614 0.000 6 40.76.55.204:1048 ->
> >>>> x.x.237:22 ...... 1
> >>>> 2016-02-29 15:24:07.933 0.000 6 40.76.55.204:1128 ->
> >>>> x.x.237:22 ...... 1
> >>>> 2016-02-29 15:27:31.289 0.000 6 40.121.53.153:1041 ->
> >>>> x.x.133:22 ...... 1
> >>>> 2016-02-29 15:27:31.544 0.000 6 40.121.53.153:1042 ->
> >>>> x.x.133:22 ...... 1
> >>>> 2016-02-29 15:27:59.120 0.000 6 40.76.70.58:1168 ->
> >>>> x.x.9.3:22 ...... 1
> >>>> 2016-02-29 15:27:59.440 0.000 6 40.76.70.58:1169 ->
> >>>> x.x.9.3:22 ...... 1
> >>>> 2016-02-29 15:29:30.933 0.000 6 40.76.70.58:1168 ->
> >>>> x.x.211:22 ...... 1
> >>>> 2016-02-29 15:29:31.031 0.000 6 40.76.70.58:1169 ->
> >>>> x.x.211:22 ...... 1
> >>>> 2016-02-29 15:29:33.729 0.000 6 40.76.55.204:1142 ->
> >>>> x.x.166:22 ...... 1
> >>>> 2016-02-29 15:29:34.032 0.000 6 40.76.55.204:1143 ->
> >>>> x.x.166:22 ...... 1
> >>>> 2016-02-29 15:31:41.947 0.000 6 40.76.70.58:1168 ->
> >>>> x.x.137:22 ...... 1
> >>>> 2016-02-29 15:31:42.266 0.000 6 40.76.70.58:1169 ->
> >>>> x.x.137:22 ...... 1
> >>>> 2016-02-29 15:32:10.044 0.000 6 40.121.53.153:1041 ->
> >>>> x.x..71:22 ...... 1
> >>>> 2016-02-29 15:32:10.348 0.000 6 40.121.53.153:1042 ->
> >>>> x.x..71:22 ...... 1
> >>>> 2016-02-29 15:32:10.442 0.000 6 104.45.210.69:1161 ->
> >>>> x.x.246:22 ...... 1
> >>>> 2016-02-29 15:32:10.475 0.000 6 104.45.210.69:1160 ->
> >>>> x.x.246:22 ...... 1
> >>>> 2016-02-29 15:32:29.165 0.000 6 40.121.143.132:1040 ->
> >>>> x.x..62:22 ...... 1
> >>>> 2016-02-29 15:32:29.466 0.000 6 40.121.143.132:1041 ->
> >>>> x.x..62:22 ...... 1
> >>>> 2016-02-29 15:37:07.616 0.000 6 40.76.80.17:56902 ->
> >>>> x.x..51:22 ...... 1
> >>>> 2016-02-29 15:37:07.925 0.000 6 40.76.80.17:56903 ->
> >>>> x.x..51:22 ...... 1
> >>>> 2016-02-29 15:40:04.546 0.000 6 40.121.53.153:1041 ->
> >>>> x.x.186:22 ...... 1
> >>>> 2016-02-29 15:40:04.866 0.000 6 40.121.53.153:1042 ->
> >>>> x.x.186:22 ...... 1
> >>>> 2016-02-29 15:40:28.870 0.000 6 40.76.70.58:1168 ->
> >>>> x.x.171:22 ...... 1
> >>>> 2016-02-29 15:40:29.125 0.000 6 40.76.70.58:1169 ->
> >>>> x.x.171:22 ...... 1
> >>>> 2016-02-29 15:41:57.034 0.000 6 40.76.55.204:1128 ->
> >>>> x.x.181:22 ...... 1
> >>>> 2016-02-29 15:41:57.354 0.000 6 40.76.55.204:1176 ->
> >>>> x.x.181:22 ...... 1
> >>>>
> >>>>
> >>>> 2016-02-29 16:55:49.183 0.000 6 40.117.96.192:1120 ->
> >>>> x.x.163:22 ...... 1
> >>>> 2016-02-29 16:55:49.183 0.000 6 40.117.96.192:1120 ->
> >>>> x.x.176:22 ...... 1
> >>>> 2016-02-29 16:55:49.183 0.000 6 40.117.96.192:1120 ->
> >>>> x.x.206:22 ...... 1
> >>>> 2016-02-29 16:55:49.183 0.000 6 40.117.96.192:1120 ->
> >>>> x.x.158:22 ...... 1
> >>>> 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 ->
> >>>> x.x.185:22 ...... 1
> >>>> 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 ->
> >>>> x.x.251:22 ...... 1
> >>>> 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 ->
> >>>> x.x.255:22 ...... 1
> >>>> 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 ->
> >>>> x.x.141:22 ...... 1
> >>>> 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 ->
> >>>> x.x.136:22 ...... 1
> >>>> 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 ->
> >>>> x.x.235:22 ...... 1
> >>>> 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 ->
> >>>> x.x.242:22 ...... 1
> >>>> 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 ->
> >>>> x.x.240:22 ...... 1
> >>>> 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 ->
> >>>> x.x.100:22 ...... 1
> >>>> 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 ->
> >>>> x.x.244:22 ...... 1
> >>>> 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 ->
> >>>> x.x.217:22 ...... 1
> >>>> 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 ->
> >>>> x.x..72:22 ...... 1
> >>>> 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 ->
> >>>> x.x.221:22 ...... 1
> >>>> 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 ->
> >>>> x.x.5.4:22 ...... 1
> >>>> 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 ->
> >>>> x.x.150:22 ...... 1
> >>>> 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 ->
> >>>> x.x.145:22 ...... 1
> >>>> 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 ->
> >>>> x.x.119:22 ...... 1
> >>>> 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 ->
> >>>> x.x..52:22 ...... 1
> >>>> 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 ->
> >>>> x.x..75:22 ...... 1
> >>>> 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 ->
> >>>> x.x.127:22 ...... 1
> >>>> 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 ->
> >>>> x.x..22:22 ...... 1
> >>>> 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 ->
> >>>> x.x..77:22 ...... 1
> >>>> 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 ->
> >>>> x.x.246:22 ...... 1
> >>>> 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 ->
> >>>> x.x.137:22 ...... 1
> >>>> 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 ->
> >>>> x.x..85:22 ...... 1
> >>>> 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 ->
> >>>> x.x..35:22 ...... 1
> >>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>
>
>
More information about the NANOG
mailing list