how to deal with port scan and brute force attack from AS 8075 ?

Thu Mar 31 09:50:47 UTC 2016

I can not blame them to not answer to all of the thousands emails
destined to their abuse mailbox. And the goal of my email was not to
call them on public forum, but rather to know how others ops deal with
it, and also if MS (and competitors) have automatic detection of such
'illegal' traffic, and if not why ?....

On 31.03.2016 10:18, Todd Crane wrote:
> Oh and,
> 
> I’m assuming you contacted Microsoft’s abuse? If not, it’s not cool, not to mention unprofessional, to publicly call them out on such a public forum without giving them an opportunity to correct it first.
> 
>> On Mar 31, 2016, at 1:15 AM, Todd Crane <todd.crane at n5tech.com> wrote:
>>
>> Marcel
>>
>> Depending on what is on those machines, I would just recommend using fail2ban. The default is that if an ip address fails ssh auth 3 times in 5 minutes, their ip gets blocked via iptables for 5 minutes. This is enough to thwart most scripted attacks, especially those from a certain government in Asia. This is configurable to various applications, timing schemes, and blocking/jailing mechanisms.
>>
>> -Todd
>>> On Mar 31, 2016, at 1:02 AM, marcel.duregards--- via NANOG <nanog at nanog.org> wrote:
>>>
>>> Dear Nanog'er,
>>>
>>> We are facing a lot of port scan and brute force attack on port 22 (but
>>> not limited to) from Microsoft AS 8075 range toward our own infra, or
>>> toward our customers.
>>> We have sent email to abuse at microsoft.com, but no answer.
>>>
>>> source ip are:
>>> NetRange:       40.74.0.0 - 40.125.127.255
>>> CIDR:           40.74.0.0/15, 40.112.0.0/13, 40.124.0.0/16,
>>> 40.76.0.0/14, 40.80.0.0/12, 40.125.0.0/17, 40.96.0.0/12, 40.120.0.0/14
>>> NetName:        MSFT
>>>
>>>
>>>
>>> We consider port scan and brute force on ssh port as an attack, and even
>>> as a pre-DDOS phase (could be use to install botnet, detect unpatched
>>> host, and so one).
>>>
>>> It's one thing to propose services and make money over an infra, it's an
>>> other thing to take care that you clients do not use this infra to make
>>> illegal stuffs.
>>>
>>>
>>> How do you deal with such massive amount of 'illegal' traffic ?
>>>
>>> Thank,
>>> Best Regards
>>> Marcel
>>>
>>>
>>>
>>>
>>>
>>> He are some examples (we have more than 3000 such packets per day just
>>> from them, probably Azure), and source ip is always differents of course:
>>>
>>>
>>> Flow Filtering Expression
>>> src AS 8075 and dst port 22 and packets=1
>>> Limit Flows
>>> 40000
>>> Sorting
>>> By Date
>>>

>>
> 