[188529] in North American Network Operators' Group
Re: how to deal with port scan and brute force attack from AS 8075 ?
daemon@ATHENA.MIT.EDU (DV)
Sun Apr 3 18:06:51 2016
X-Original-To: nanog@nanog.org
In-Reply-To: <56FCF2F7.9060709@yahoo.fr>
From: DV <iamzam@gmail.com>
Date: Thu, 31 Mar 2016 07:41:10 -0400
To: "marcel.duregards@yahoo.fr" <marcel.duregards@yahoo.fr>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
I have noticed this and especially the strange format of the packets with a
SYN/ECE/CWR flag combination: http://pastebin.com/jFCDAmdr
This may be $whoever trying to establish network performance/congestion via
ECN or it could be something else like a fast scan technique or OS
fingerprinting
On Thu, Mar 31, 2016 at 5:50 AM, marcel.duregards--- via NANOG <
nanog@nanog.org> wrote:
> I can not blame them to not answer to all of the thousands emails
> destined to their abuse mailbox. And the goal of my email was not to
> call them on public forum, but rather to know how others ops deal with
> it, and also if MS (and competitors) have automatic detection of such
> 'illegal' traffic, and if not why ?....
>
>
>
>
>
> On 31.03.2016 10:18, Todd Crane wrote:
> > Oh and,
> >
> > I=E2=80=99m assuming you contacted Microsoft=E2=80=99s abuse? If not, i=
t=E2=80=99s not cool, not
> to mention unprofessional, to publicly call them out on such a public for=
um
> without giving them an opportunity to correct it first.
> >
> >> On Mar 31, 2016, at 1:15 AM, Todd Crane <todd.crane@n5tech.com> wrote:
> >>
> >> Marcel
> >>
> >> Depending on what is on those machines, I would just recommend using
> fail2ban. The default is that if an ip address fails ssh auth 3 times in =
5
> minutes, their ip gets blocked via iptables for 5 minutes. This is enough
> to thwart most scripted attacks, especially those from a certain governme=
nt
> in Asia. This is configurable to various applications, timing schemes, an=
d
> blocking/jailing mechanisms.
> >>
> >> -Todd
> >>> On Mar 31, 2016, at 1:02 AM, marcel.duregards--- via NANOG <
> nanog@nanog.org> wrote:
> >>>
> >>> Dear Nanog'er,
> >>>
> >>> We are facing a lot of port scan and brute force attack on port 22 (b=
ut
> >>> not limited to) from Microsoft AS 8075 range toward our own infra, or
> >>> toward our customers.
> >>> We have sent email to abuse@microsoft.com, but no answer.
> >>>
> >>> source ip are:
> >>> NetRange: 40.74.0.0 - 40.125.127.255
> >>> CIDR: 40.74.0.0/15, 40.112.0.0/13, 40.124.0.0/16,
> >>> 40.76.0.0/14, 40.80.0.0/12, 40.125.0.0/17, 40.96.0.0/12, 40.120.0.0/1=
4
> >>> NetName: MSFT
> >>>
> >>>
> >>>
> >>> We consider port scan and brute force on ssh port as an attack, and
> even
> >>> as a pre-DDOS phase (could be use to install botnet, detect unpatched
> >>> host, and so one).
> >>>
> >>> It's one thing to propose services and make money over an infra, it's
> an
> >>> other thing to take care that you clients do not use this infra to ma=
ke
> >>> illegal stuffs.
> >>>
> >>>
> >>> How do you deal with such massive amount of 'illegal' traffic ?
> >>>
> >>> Thank,
> >>> Best Regards
> >>> Marcel
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> He are some examples (we have more than 3000 such packets per day jus=
t
> >>> from them, probably Azure), and source ip is always differents of
> course:
> >>>
> >>>
> >>> Flow Filtering Expression
> >>> src AS 8075 and dst port 22 and packets=3D1
> >>> Limit Flows
> >>> 40000
> >>> Sorting
> >>> By Date
> >>>
>
> >>
> >
>
