I have noticed this and especially the strange format of the packets with a SYN/ECE/CWR flag combination: http://pastebin.com/jFCDAmdr This may be $whoever trying to establish network performance/congestion via ECN or it could be something else like a fast scan technique or OS fingerprinting On Thu, Mar 31, 2016 at 5:50 AM, marcel.duregards--- via NANOG < nanog@nanog.org> wrote:
I can not blame them to not answer to all of the thousands emails destined to their abuse mailbox. And the goal of my email was not to call them on public forum, but rather to know how others ops deal with it, and also if MS (and competitors) have automatic detection of such 'illegal' traffic, and if not why ?....
On 31.03.2016 10:18, Todd Crane wrote:
Oh and,
I’m assuming you contacted Microsoft’s abuse? If not, it’s not cool, not to mention unprofessional, to publicly call them out on such a public forum without giving them an opportunity to correct it first.
On Mar 31, 2016, at 1:15 AM, Todd Crane <todd.crane@n5tech.com> wrote:
Marcel
Depending on what is on those machines, I would just recommend using fail2ban. The default is that if an ip address fails ssh auth 3 times in 5 minutes, their ip gets blocked via iptables for 5 minutes. This is enough to thwart most scripted attacks, especially those from a certain government in Asia. This is configurable to various applications, timing schemes, and blocking/jailing mechanisms.
-Todd
On Mar 31, 2016, at 1:02 AM, marcel.duregards--- via NANOG < nanog@nanog.org> wrote:
Dear Nanog'er,
We are facing a lot of port scan and brute force attack on port 22 (but not limited to) from Microsoft AS 8075 range toward our own infra, or toward our customers. We have sent email to abuse@microsoft.com, but no answer.
source ip are: NetRange: 40.74.0.0 - 40.125.127.255 CIDR: 40.74.0.0/15, 40.112.0.0/13, 40.124.0.0/16, 40.76.0.0/14, 40.80.0.0/12, 40.125.0.0/17, 40.96.0.0/12, 40.120.0.0/14 NetName: MSFT
We consider port scan and brute force on ssh port as an attack, and even as a pre-DDOS phase (could be use to install botnet, detect unpatched host, and so one).
It's one thing to propose services and make money over an infra, it's an other thing to take care that you clients do not use this infra to make illegal stuffs.
How do you deal with such massive amount of 'illegal' traffic ?
Thank, Best Regards Marcel
He are some examples (we have more than 3000 such packets per day just from them, probably Azure), and source ip is always differents of course:
Flow Filtering Expression src AS 8075 and dst port 22 and packets=1 Limit Flows 40000 Sorting By Date