how to deal with port scan and brute force attack from AS 8075 ?

• Previous message (by thread): how to deal with port scan and brute force attack from AS 8075 ?
• Next message (by thread): how to deal with port scan and brute force attack from AS 8075 ?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have noticed this and especially the strange format of the packets with a
SYN/ECE/CWR flag combination: http://pastebin.com/jFCDAmdr

This may be $whoever trying to establish network performance/congestion via
ECN or it could be something else like a fast scan technique or OS
fingerprinting


On Thu, Mar 31, 2016 at 5:50 AM, marcel.duregards--- via NANOG <
nanog at nanog.org> wrote:

> I can not blame them to not answer to all of the thousands emails
> destined to their abuse mailbox. And the goal of my email was not to
> call them on public forum, but rather to know how others ops deal with
> it, and also if MS (and competitors) have automatic detection of such
> 'illegal' traffic, and if not why ?....
>
>
>
>
>
> On 31.03.2016 10:18, Todd Crane wrote:
> > Oh and,
> >
> > I’m assuming you contacted Microsoft’s abuse? If not, it’s not cool, not
> to mention unprofessional, to publicly call them out on such a public forum
> without giving them an opportunity to correct it first.
> >
> >> On Mar 31, 2016, at 1:15 AM, Todd Crane <todd.crane at n5tech.com> wrote:
> >>
> >> Marcel
> >>
> >> Depending on what is on those machines, I would just recommend using
> fail2ban. The default is that if an ip address fails ssh auth 3 times in 5
> minutes, their ip gets blocked via iptables for 5 minutes. This is enough
> to thwart most scripted attacks, especially those from a certain government
> in Asia. This is configurable to various applications, timing schemes, and
> blocking/jailing mechanisms.
> >>
> >> -Todd
> >>> On Mar 31, 2016, at 1:02 AM, marcel.duregards--- via NANOG <
> nanog at nanog.org> wrote:
> >>>
> >>> Dear Nanog'er,
> >>>
> >>> We are facing a lot of port scan and brute force attack on port 22 (but
> >>> not limited to) from Microsoft AS 8075 range toward our own infra, or
> >>> toward our customers.
> >>> We have sent email to abuse at microsoft.com, but no answer.
> >>>
> >>> source ip are:
> >>> NetRange:       40.74.0.0 - 40.125.127.255
> >>> CIDR:           40.74.0.0/15, 40.112.0.0/13, 40.124.0.0/16,
> >>> 40.76.0.0/14, 40.80.0.0/12, 40.125.0.0/17, 40.96.0.0/12, 40.120.0.0/14
> >>> NetName:        MSFT
> >>>
> >>>
> >>>
> >>> We consider port scan and brute force on ssh port as an attack, and
> even
> >>> as a pre-DDOS phase (could be use to install botnet, detect unpatched
> >>> host, and so one).
> >>>
> >>> It's one thing to propose services and make money over an infra, it's
> an
> >>> other thing to take care that you clients do not use this infra to make
> >>> illegal stuffs.
> >>>
> >>>
> >>> How do you deal with such massive amount of 'illegal' traffic ?
> >>>
> >>> Thank,
> >>> Best Regards
> >>> Marcel
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> He are some examples (we have more than 3000 such packets per day just
> >>> from them, probably Azure), and source ip is always differents of
> course:
> >>>
> >>>
> >>> Flow Filtering Expression
> >>> src AS 8075 and dst port 22 and packets=1
> >>> Limit Flows
> >>> 40000
> >>> Sorting
> >>> By Date
> >>>
>
> >>
> >
>

• Previous message (by thread): how to deal with port scan and brute force attack from AS 8075 ?
• Next message (by thread): how to deal with port scan and brute force attack from AS 8075 ?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]