[188498] in North American Network Operators' Group
Re: how to deal with port scan and brute force attack from AS 8075 ?
daemon@ATHENA.MIT.EDU (Todd Crane)
Thu Mar 31 05:04:46 2016
X-Original-To: nanog@nanog.org
From: Todd Crane <todd.crane@n5tech.com>
In-Reply-To: <Pine.LNX.4.64.1603310201030.11131@yuri.anime.net>
Date: Thu, 31 Mar 2016 02:04:40 -0700
To: Dan Hollis <goemon@sasami.anime.net>
Cc: North American Network Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
--Apple-Mail=_83CC1822-CA5A-40FF-B63A-0A3C54DA0C58
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=utf-8
I must have missed that=E2=80=A6 my bad.
> On Mar 31, 2016, at 2:01 AM, Dan Hollis <goemon@sasami.anime.net> =
wrote:
>=20
> It's right there in his email:
>=20
> "We have sent email to abuse@microsoft.com, but no answer."
>=20
> -Dan
>=20
> On Thu, 31 Mar 2016, Todd Crane wrote:
>=20
>> Oh and,
>>=20
>> I=E2=80=99m assuming you contacted Microsoft=E2=80=99s abuse? If not, =
it=E2=80=99s not cool, not to mention unprofessional, to publicly call =
them out on such a public forum without giving them an opportunity to =
correct it first.
>>=20
>>> On Mar 31, 2016, at 1:15 AM, Todd Crane <todd.crane@n5tech.com> =
wrote:
>>>=20
>>> Marcel
>>>=20
>>> Depending on what is on those machines, I would just recommend using =
fail2ban. The default is that if an ip address fails ssh auth 3 times in =
5 minutes, their ip gets blocked via iptables for 5 minutes. This is =
enough to thwart most scripted attacks, especially those from a certain =
government in Asia. This is configurable to various applications, timing =
schemes, and blocking/jailing mechanisms.
>>>=20
>>> -Todd
>>>> On Mar 31, 2016, at 1:02 AM, marcel.duregards--- via NANOG =
<nanog@nanog.org> wrote:
>>>>=20
>>>> Dear Nanog'er,
>>>>=20
>>>> We are facing a lot of port scan and brute force attack on port 22 =
(but
>>>> not limited to) from Microsoft AS 8075 range toward our own infra, =
or
>>>> toward our customers.
>>>> We have sent email to abuse@microsoft.com, but no answer.
>>>>=20
>>>> source ip are:
>>>> NetRange: 40.74.0.0 - 40.125.127.255
>>>> CIDR: 40.74.0.0/15, 40.112.0.0/13, 40.124.0.0/16,
>>>> 40.76.0.0/14, 40.80.0.0/12, 40.125.0.0/17, 40.96.0.0/12, =
40.120.0.0/14
>>>> NetName: MSFT
>>>>=20
>>>>=20
>>>>=20
>>>> We consider port scan and brute force on ssh port as an attack, and =
even
>>>> as a pre-DDOS phase (could be use to install botnet, detect =
unpatched
>>>> host, and so one).
>>>>=20
>>>> It's one thing to propose services and make money over an infra, =
it's an
>>>> other thing to take care that you clients do not use this infra to =
make
>>>> illegal stuffs.
>>>>=20
>>>>=20
>>>> How do you deal with such massive amount of 'illegal' traffic ?
>>>>=20
>>>> Thank,
>>>> Best Regards
>>>> Marcel
>>>>=20
>>>>=20
>>>>=20
>>>>=20
>>>>=20
>>>> He are some examples (we have more than 3000 such packets per day =
just
>>>> from them, probably Azure), and source ip is always differents of =
course:
>>>>=20
>>>>=20
>>>> Flow Filtering Expression
>>>> src AS 8075 and dst port 22 and packets=3D1
>>>> Limit Flows
>>>> 40000
>>>> Sorting
>>>> By Date
>>>>=20
>>>> Date_first_seen Duration Proto _IP_Addr:Port
>>>> Dst_IP_Addr:Port Flags Packets
>>>> 2016-02-29 14:55:20.108 0.000 6 104.45.210.69:1160 ->
>>>> x.x.231:22 ...... 1
>>>> 2016-02-29 14:55:20.611 0.000 6 104.45.210.69:1161 ->
>>>> x.x.231:22 ...... 1
>>>> 2016-02-29 14:56:41.004 0.000 6 40.76.55.204:1090 ->
>>>> x.x..14:22 ...... 1
>>>> 2016-02-29 14:56:41.324 0.000 6 40.76.55.204:1091 ->
>>>> x.x..14:22 ...... 1
>>>> 2016-02-29 15:00:05.670 0.000 6 40.76.55.204:1088 ->
>>>> x.x.125:22 ...... 1
>>>> 2016-02-29 15:00:06.003 0.000 6 40.76.55.204:1089 ->
>>>> x.x.125:22 ...... 1
>>>> 2016-02-29 15:01:17.358 0.000 6 40.76.70.58:1168 ->
>>>> x.x..80:22 ...... 1
>>>> 2016-02-29 15:01:17.676 0.000 6 40.76.70.58:1169 ->
>>>> x.x..80:22 ...... 1
>>>> 2016-02-29 15:02:42.637 0.000 6 40.76.55.204:1176 ->
>>>> x.x.193:22 ...... 1
>>>> 2016-02-29 15:02:42.878 0.000 6 40.76.55.204:1177 ->
>>>> x.x.193:22 ...... 1
>>>> 2016-02-29 15:02:48.067 0.000 6 104.45.210.69:1160 ->
>>>> x.x.173:22 ...... 1
>>>> 2016-02-29 15:02:48.394 0.000 6 104.45.210.69:1161 ->
>>>> x.x.173:22 ...... 1
>>>> 2016-02-29 15:03:18.854 0.000 6 40.121.53.153:1041 ->
>>>> x.x..88:22 ...... 1
>>>> 2016-02-29 15:03:19.172 0.000 6 40.121.53.153:1042 ->
>>>> x.x..88:22 ...... 1
>>>> 2016-02-29 15:06:36.248 0.000 6 40.76.55.204:1056 ->
>>>> x.x..45:22 ...... 1
>>>> 2016-02-29 15:07:31.882 0.000 6 40.76.80.17:44895 ->
>>>> x.x..75:22 ...... 1
>>>> 2016-02-29 15:07:32.245 0.000 6 40.76.80.17:44896 ->
>>>> x.x..75:22 ...... 1
>>>> 2016-02-29 15:09:08.433 0.000 6 40.76.70.58:1168 ->
>>>> x.x..31:22 ...... 1
>>>> 2016-02-29 15:09:08.744 0.000 6 40.76.70.58:1169 ->
>>>> x.x..31:22 ...... 1
>>>> 2016-02-29 15:11:45.668 0.000 6 40.76.80.17:47993 ->
>>>> x.x.157:22 ...... 1
>>>> 2016-02-29 15:11:45.987 0.000 6 40.76.80.17:47994 ->
>>>> x.x.157:22 ...... 1
>>>> 2016-02-29 15:12:09.543 0.000 6 40.76.70.58:1168 ->
>>>> x.x..24:22 ...... 1
>>>> 2016-02-29 15:12:09.925 0.000 6 40.76.70.58:1169 ->
>>>> x.x..24:22 ...... 1
>>>> 2016-02-29 15:17:05.920 0.000 6 40.76.70.58:1168 ->
>>>> x.x.243:22 ...... 1
>>>> 2016-02-29 15:17:06.241 0.000 6 40.76.70.58:1169 ->
>>>> x.x.243:22 ...... 1
>>>> 2016-02-29 15:19:21.364 0.000 6 40.83.121.211:62936 ->
>>>> x.x..81:22 ...... 1
>>>> 2016-02-29 15:19:21.704 0.000 6 40.83.121.211:62937 ->
>>>> x.x..81:22 ...... 1
>>>> 2016-02-29 15:19:45.891 0.000 6 40.76.70.58:1168 ->
>>>> x.x..39:22 ...... 1
>>>> 2016-02-29 15:19:46.273 0.000 6 40.76.70.58:1169 ->
>>>> x.x..39:22 ...... 1
>>>> 2016-02-29 15:21:52.030 0.000 6 40.76.70.58:1168 ->
>>>> x.x.120:22 ...... 1
>>>> 2016-02-29 15:21:52.349 0.000 6 40.76.70.58:1169 ->
>>>> x.x.120:22 ...... 1
>>>> 2016-02-29 15:24:07.614 0.000 6 40.76.55.204:1048 ->
>>>> x.x.237:22 ...... 1
>>>> 2016-02-29 15:24:07.933 0.000 6 40.76.55.204:1128 ->
>>>> x.x.237:22 ...... 1
>>>> 2016-02-29 15:27:31.289 0.000 6 40.121.53.153:1041 ->
>>>> x.x.133:22 ...... 1
>>>> 2016-02-29 15:27:31.544 0.000 6 40.121.53.153:1042 ->
>>>> x.x.133:22 ...... 1
>>>> 2016-02-29 15:27:59.120 0.000 6 40.76.70.58:1168 ->
>>>> x.x.9.3:22 ...... 1
>>>> 2016-02-29 15:27:59.440 0.000 6 40.76.70.58:1169 ->
>>>> x.x.9.3:22 ...... 1
>>>> 2016-02-29 15:29:30.933 0.000 6 40.76.70.58:1168 ->
>>>> x.x.211:22 ...... 1
>>>> 2016-02-29 15:29:31.031 0.000 6 40.76.70.58:1169 ->
>>>> x.x.211:22 ...... 1
>>>> 2016-02-29 15:29:33.729 0.000 6 40.76.55.204:1142 ->
>>>> x.x.166:22 ...... 1
>>>> 2016-02-29 15:29:34.032 0.000 6 40.76.55.204:1143 ->
>>>> x.x.166:22 ...... 1
>>>> 2016-02-29 15:31:41.947 0.000 6 40.76.70.58:1168 ->
>>>> x.x.137:22 ...... 1
>>>> 2016-02-29 15:31:42.266 0.000 6 40.76.70.58:1169 ->
>>>> x.x.137:22 ...... 1
>>>> 2016-02-29 15:32:10.044 0.000 6 40.121.53.153:1041 ->
>>>> x.x..71:22 ...... 1
>>>> 2016-02-29 15:32:10.348 0.000 6 40.121.53.153:1042 ->
>>>> x.x..71:22 ...... 1
>>>> 2016-02-29 15:32:10.442 0.000 6 104.45.210.69:1161 ->
>>>> x.x.246:22 ...... 1
>>>> 2016-02-29 15:32:10.475 0.000 6 104.45.210.69:1160 ->
>>>> x.x.246:22 ...... 1
>>>> 2016-02-29 15:32:29.165 0.000 6 40.121.143.132:1040 ->
>>>> x.x..62:22 ...... 1
>>>> 2016-02-29 15:32:29.466 0.000 6 40.121.143.132:1041 ->
>>>> x.x..62:22 ...... 1
>>>> 2016-02-29 15:37:07.616 0.000 6 40.76.80.17:56902 ->
>>>> x.x..51:22 ...... 1
>>>> 2016-02-29 15:37:07.925 0.000 6 40.76.80.17:56903 ->
>>>> x.x..51:22 ...... 1
>>>> 2016-02-29 15:40:04.546 0.000 6 40.121.53.153:1041 ->
>>>> x.x.186:22 ...... 1
>>>> 2016-02-29 15:40:04.866 0.000 6 40.121.53.153:1042 ->
>>>> x.x.186:22 ...... 1
>>>> 2016-02-29 15:40:28.870 0.000 6 40.76.70.58:1168 ->
>>>> x.x.171:22 ...... 1
>>>> 2016-02-29 15:40:29.125 0.000 6 40.76.70.58:1169 ->
>>>> x.x.171:22 ...... 1
>>>> 2016-02-29 15:41:57.034 0.000 6 40.76.55.204:1128 ->
>>>> x.x.181:22 ...... 1
>>>> 2016-02-29 15:41:57.354 0.000 6 40.76.55.204:1176 ->
>>>> x.x.181:22 ...... 1
>>>>=20
>>>>=20
>>>> 2016-02-29 16:55:49.183 0.000 6 40.117.96.192:1120 ->
>>>> x.x.163:22 ...... 1
>>>> 2016-02-29 16:55:49.183 0.000 6 40.117.96.192:1120 ->
>>>> x.x.176:22 ...... 1
>>>> 2016-02-29 16:55:49.183 0.000 6 40.117.96.192:1120 ->
>>>> x.x.206:22 ...... 1
>>>> 2016-02-29 16:55:49.183 0.000 6 40.117.96.192:1120 ->
>>>> x.x.158:22 ...... 1
>>>> 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 ->
>>>> x.x.185:22 ...... 1
>>>> 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 ->
>>>> x.x.251:22 ...... 1
>>>> 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 ->
>>>> x.x.255:22 ...... 1
>>>> 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 ->
>>>> x.x.141:22 ...... 1
>>>> 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 ->
>>>> x.x.136:22 ...... 1
>>>> 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 ->
>>>> x.x.235:22 ...... 1
>>>> 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 ->
>>>> x.x.242:22 ...... 1
>>>> 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 ->
>>>> x.x.240:22 ...... 1
>>>> 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 ->
>>>> x.x.100:22 ...... 1
>>>> 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 ->
>>>> x.x.244:22 ...... 1
>>>> 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 ->
>>>> x.x.217:22 ...... 1
>>>> 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 ->
>>>> x.x..72:22 ...... 1
>>>> 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 ->
>>>> x.x.221:22 ...... 1
>>>> 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 ->
>>>> x.x.5.4:22 ...... 1
>>>> 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 ->
>>>> x.x.150:22 ...... 1
>>>> 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 ->
>>>> x.x.145:22 ...... 1
>>>> 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 ->
>>>> x.x.119:22 ...... 1
>>>> 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 ->
>>>> x.x..52:22 ...... 1
>>>> 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 ->
>>>> x.x..75:22 ...... 1
>>>> 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 ->
>>>> x.x.127:22 ...... 1
>>>> 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 ->
>>>> x.x..22:22 ...... 1
>>>> 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 ->
>>>> x.x..77:22 ...... 1
>>>> 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 ->
>>>> x.x.246:22 ...... 1
>>>> 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 ->
>>>> x.x.137:22 ...... 1
>>>> 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 ->
>>>> x.x..85:22 ...... 1
>>>> 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 ->
>>>> x.x..35:22 ...... 1
>>>>=20
>>>>=20
>>>>=20
>>>>=20
>>>=20
>>=20
--Apple-Mail=_83CC1822-CA5A-40FF-B63A-0A3C54DA0C58
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
iQEcBAEBCgAGBQJW/OgoAAoJEJnIJbSiHxpV15QH/023wvJN5S5FCTjuQwLdLS+N
8JZBBEnPyJV+Wz4GFJhYa9dLuiJGJdtnLdEAm7XNPw1bS4x/5TRgC5MN7iU+KOtH
21D2+Pa3q8a7UPZ5rsaGGNWBs3l99X03jAn1Pg+jx+fHl/hcsiF5bOoBvd9hXCJN
S2Y3kiThQo8roq+UXPnRZ4Q3+l6ClAqiE/cdVhPdq01ZkFcE5Ef0HhW1oHCMYTou
54KDV1OK3FqZdWiPU/oT4TtNhXQg1Rx+dCZsYLgkfdD836SYBOIGgZ0jCJxQHvdy
s32Gy1X83b0qNosxGkU5pBHUKaXziBqt+yPqIdC5R/bQ+zu2i0NGysGFg++yZLY=
=b6IU
-----END PGP SIGNATURE-----
--Apple-Mail=_83CC1822-CA5A-40FF-B63A-0A3C54DA0C58--
