how to deal with port scan and brute force attack from AS 8075 ?
Dear Nanog'er, We are facing a lot of port scan and brute force attack on port 22 (but not limited to) from Microsoft AS 8075 range toward our own infra, or toward our customers. We have sent email to abuse@microsoft.com, but no answer. source ip are: NetRange: 40.74.0.0 - 40.125.127.255 CIDR: 40.74.0.0/15, 40.112.0.0/13, 40.124.0.0/16, 40.76.0.0/14, 40.80.0.0/12, 40.125.0.0/17, 40.96.0.0/12, 40.120.0.0/14 NetName: MSFT We consider port scan and brute force on ssh port as an attack, and even as a pre-DDOS phase (could be use to install botnet, detect unpatched host, and so one). It's one thing to propose services and make money over an infra, it's an other thing to take care that you clients do not use this infra to make illegal stuffs. How do you deal with such massive amount of 'illegal' traffic ? Thank, Best Regards Marcel He are some examples (we have more than 3000 such packets per day just from them, probably Azure), and source ip is always differents of course: Flow Filtering Expression src AS 8075 and dst port 22 and packets=1 Limit Flows 40000 Sorting By Date Date_first_seen Duration Proto _IP_Addr:Port Dst_IP_Addr:Port Flags Packets 2016-02-29 14:55:20.108 0.000 6 104.45.210.69:1160 -> x.x.231:22 ...... 1 2016-02-29 14:55:20.611 0.000 6 104.45.210.69:1161 -> x.x.231:22 ...... 1 2016-02-29 14:56:41.004 0.000 6 40.76.55.204:1090 -> x.x..14:22 ...... 1 2016-02-29 14:56:41.324 0.000 6 40.76.55.204:1091 -> x.x..14:22 ...... 1 2016-02-29 15:00:05.670 0.000 6 40.76.55.204:1088 -> x.x.125:22 ...... 1 2016-02-29 15:00:06.003 0.000 6 40.76.55.204:1089 -> x.x.125:22 ...... 1 2016-02-29 15:01:17.358 0.000 6 40.76.70.58:1168 -> x.x..80:22 ...... 1 2016-02-29 15:01:17.676 0.000 6 40.76.70.58:1169 -> x.x..80:22 ...... 1 2016-02-29 15:02:42.637 0.000 6 40.76.55.204:1176 -> x.x.193:22 ...... 1 2016-02-29 15:02:42.878 0.000 6 40.76.55.204:1177 -> x.x.193:22 ...... 1 2016-02-29 15:02:48.067 0.000 6 104.45.210.69:1160 -> x.x.173:22 ...... 1 2016-02-29 15:02:48.394 0.000 6 104.45.210.69:1161 -> x.x.173:22 ...... 1 2016-02-29 15:03:18.854 0.000 6 40.121.53.153:1041 -> x.x..88:22 ...... 1 2016-02-29 15:03:19.172 0.000 6 40.121.53.153:1042 -> x.x..88:22 ...... 1 2016-02-29 15:06:36.248 0.000 6 40.76.55.204:1056 -> x.x..45:22 ...... 1 2016-02-29 15:07:31.882 0.000 6 40.76.80.17:44895 -> x.x..75:22 ...... 1 2016-02-29 15:07:32.245 0.000 6 40.76.80.17:44896 -> x.x..75:22 ...... 1 2016-02-29 15:09:08.433 0.000 6 40.76.70.58:1168 -> x.x..31:22 ...... 1 2016-02-29 15:09:08.744 0.000 6 40.76.70.58:1169 -> x.x..31:22 ...... 1 2016-02-29 15:11:45.668 0.000 6 40.76.80.17:47993 -> x.x.157:22 ...... 1 2016-02-29 15:11:45.987 0.000 6 40.76.80.17:47994 -> x.x.157:22 ...... 1 2016-02-29 15:12:09.543 0.000 6 40.76.70.58:1168 -> x.x..24:22 ...... 1 2016-02-29 15:12:09.925 0.000 6 40.76.70.58:1169 -> x.x..24:22 ...... 1 2016-02-29 15:17:05.920 0.000 6 40.76.70.58:1168 -> x.x.243:22 ...... 1 2016-02-29 15:17:06.241 0.000 6 40.76.70.58:1169 -> x.x.243:22 ...... 1 2016-02-29 15:19:21.364 0.000 6 40.83.121.211:62936 -> x.x..81:22 ...... 1 2016-02-29 15:19:21.704 0.000 6 40.83.121.211:62937 -> x.x..81:22 ...... 1 2016-02-29 15:19:45.891 0.000 6 40.76.70.58:1168 -> x.x..39:22 ...... 1 2016-02-29 15:19:46.273 0.000 6 40.76.70.58:1169 -> x.x..39:22 ...... 1 2016-02-29 15:21:52.030 0.000 6 40.76.70.58:1168 -> x.x.120:22 ...... 1 2016-02-29 15:21:52.349 0.000 6 40.76.70.58:1169 -> x.x.120:22 ...... 1 2016-02-29 15:24:07.614 0.000 6 40.76.55.204:1048 -> x.x.237:22 ...... 1 2016-02-29 15:24:07.933 0.000 6 40.76.55.204:1128 -> x.x.237:22 ...... 1 2016-02-29 15:27:31.289 0.000 6 40.121.53.153:1041 -> x.x.133:22 ...... 1 2016-02-29 15:27:31.544 0.000 6 40.121.53.153:1042 -> x.x.133:22 ...... 1 2016-02-29 15:27:59.120 0.000 6 40.76.70.58:1168 -> x.x.9.3:22 ...... 1 2016-02-29 15:27:59.440 0.000 6 40.76.70.58:1169 -> x.x.9.3:22 ...... 1 2016-02-29 15:29:30.933 0.000 6 40.76.70.58:1168 -> x.x.211:22 ...... 1 2016-02-29 15:29:31.031 0.000 6 40.76.70.58:1169 -> x.x.211:22 ...... 1 2016-02-29 15:29:33.729 0.000 6 40.76.55.204:1142 -> x.x.166:22 ...... 1 2016-02-29 15:29:34.032 0.000 6 40.76.55.204:1143 -> x.x.166:22 ...... 1 2016-02-29 15:31:41.947 0.000 6 40.76.70.58:1168 -> x.x.137:22 ...... 1 2016-02-29 15:31:42.266 0.000 6 40.76.70.58:1169 -> x.x.137:22 ...... 1 2016-02-29 15:32:10.044 0.000 6 40.121.53.153:1041 -> x.x..71:22 ...... 1 2016-02-29 15:32:10.348 0.000 6 40.121.53.153:1042 -> x.x..71:22 ...... 1 2016-02-29 15:32:10.442 0.000 6 104.45.210.69:1161 -> x.x.246:22 ...... 1 2016-02-29 15:32:10.475 0.000 6 104.45.210.69:1160 -> x.x.246:22 ...... 1 2016-02-29 15:32:29.165 0.000 6 40.121.143.132:1040 -> x.x..62:22 ...... 1 2016-02-29 15:32:29.466 0.000 6 40.121.143.132:1041 -> x.x..62:22 ...... 1 2016-02-29 15:37:07.616 0.000 6 40.76.80.17:56902 -> x.x..51:22 ...... 1 2016-02-29 15:37:07.925 0.000 6 40.76.80.17:56903 -> x.x..51:22 ...... 1 2016-02-29 15:40:04.546 0.000 6 40.121.53.153:1041 -> x.x.186:22 ...... 1 2016-02-29 15:40:04.866 0.000 6 40.121.53.153:1042 -> x.x.186:22 ...... 1 2016-02-29 15:40:28.870 0.000 6 40.76.70.58:1168 -> x.x.171:22 ...... 1 2016-02-29 15:40:29.125 0.000 6 40.76.70.58:1169 -> x.x.171:22 ...... 1 2016-02-29 15:41:57.034 0.000 6 40.76.55.204:1128 -> x.x.181:22 ...... 1 2016-02-29 15:41:57.354 0.000 6 40.76.55.204:1176 -> x.x.181:22 ...... 1 2016-02-29 16:55:49.183 0.000 6 40.117.96.192:1120 -> x.x.163:22 ...... 1 2016-02-29 16:55:49.183 0.000 6 40.117.96.192:1120 -> x.x.176:22 ...... 1 2016-02-29 16:55:49.183 0.000 6 40.117.96.192:1120 -> x.x.206:22 ...... 1 2016-02-29 16:55:49.183 0.000 6 40.117.96.192:1120 -> x.x.158:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.185:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.251:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.255:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.141:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.136:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.235:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.242:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.240:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.100:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.244:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.217:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x..72:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.221:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.5.4:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.150:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.145:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.119:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x..52:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x..75:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.127:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x..22:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x..77:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.246:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.137:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x..85:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x..35:22 ...... 1
Use IPv6, bind a second address to the device. Enable on a random port, on this new address. Remove ssh from the other IP address. Joe Klein "Inveniam viam aut faciam" PGP Fingerprint: 295E 2691 F377 C87D 2841 00C1 4174 FEDF 8ECF 0CC8 On Thu, Mar 31, 2016 at 4:06 AM, Robert Kisteleki <robert@ripe.net> wrote:
How do you deal with such massive amount of 'illegal' traffic ?
Move SSH to a different port. Better yet, use IPv6 only :-)
Robert
Marcel Depending on what is on those machines, I would just recommend using fail2ban. The default is that if an ip address fails ssh auth 3 times in 5 minutes, their ip gets blocked via iptables for 5 minutes. This is enough to thwart most scripted attacks, especially those from a certain government in Asia. This is configurable to various applications, timing schemes, and blocking/jailing mechanisms. -Todd
On Mar 31, 2016, at 1:02 AM, marcel.duregards--- via NANOG <nanog@nanog.org> wrote:
Dear Nanog'er,
We are facing a lot of port scan and brute force attack on port 22 (but not limited to) from Microsoft AS 8075 range toward our own infra, or toward our customers. We have sent email to abuse@microsoft.com, but no answer.
source ip are: NetRange: 40.74.0.0 - 40.125.127.255 CIDR: 40.74.0.0/15, 40.112.0.0/13, 40.124.0.0/16, 40.76.0.0/14, 40.80.0.0/12, 40.125.0.0/17, 40.96.0.0/12, 40.120.0.0/14 NetName: MSFT
We consider port scan and brute force on ssh port as an attack, and even as a pre-DDOS phase (could be use to install botnet, detect unpatched host, and so one).
It's one thing to propose services and make money over an infra, it's an other thing to take care that you clients do not use this infra to make illegal stuffs.
How do you deal with such massive amount of 'illegal' traffic ?
Thank, Best Regards Marcel
He are some examples (we have more than 3000 such packets per day just from them, probably Azure), and source ip is always differents of course:
Flow Filtering Expression src AS 8075 and dst port 22 and packets=1 Limit Flows 40000 Sorting By Date
Date_first_seen Duration Proto _IP_Addr:Port Dst_IP_Addr:Port Flags Packets 2016-02-29 14:55:20.108 0.000 6 104.45.210.69:1160 -> x.x.231:22 ...... 1 2016-02-29 14:55:20.611 0.000 6 104.45.210.69:1161 -> x.x.231:22 ...... 1 2016-02-29 14:56:41.004 0.000 6 40.76.55.204:1090 -> x.x..14:22 ...... 1 2016-02-29 14:56:41.324 0.000 6 40.76.55.204:1091 -> x.x..14:22 ...... 1 2016-02-29 15:00:05.670 0.000 6 40.76.55.204:1088 -> x.x.125:22 ...... 1 2016-02-29 15:00:06.003 0.000 6 40.76.55.204:1089 -> x.x.125:22 ...... 1 2016-02-29 15:01:17.358 0.000 6 40.76.70.58:1168 -> x.x..80:22 ...... 1 2016-02-29 15:01:17.676 0.000 6 40.76.70.58:1169 -> x.x..80:22 ...... 1 2016-02-29 15:02:42.637 0.000 6 40.76.55.204:1176 -> x.x.193:22 ...... 1 2016-02-29 15:02:42.878 0.000 6 40.76.55.204:1177 -> x.x.193:22 ...... 1 2016-02-29 15:02:48.067 0.000 6 104.45.210.69:1160 -> x.x.173:22 ...... 1 2016-02-29 15:02:48.394 0.000 6 104.45.210.69:1161 -> x.x.173:22 ...... 1 2016-02-29 15:03:18.854 0.000 6 40.121.53.153:1041 -> x.x..88:22 ...... 1 2016-02-29 15:03:19.172 0.000 6 40.121.53.153:1042 -> x.x..88:22 ...... 1 2016-02-29 15:06:36.248 0.000 6 40.76.55.204:1056 -> x.x..45:22 ...... 1 2016-02-29 15:07:31.882 0.000 6 40.76.80.17:44895 -> x.x..75:22 ...... 1 2016-02-29 15:07:32.245 0.000 6 40.76.80.17:44896 -> x.x..75:22 ...... 1 2016-02-29 15:09:08.433 0.000 6 40.76.70.58:1168 -> x.x..31:22 ...... 1 2016-02-29 15:09:08.744 0.000 6 40.76.70.58:1169 -> x.x..31:22 ...... 1 2016-02-29 15:11:45.668 0.000 6 40.76.80.17:47993 -> x.x.157:22 ...... 1 2016-02-29 15:11:45.987 0.000 6 40.76.80.17:47994 -> x.x.157:22 ...... 1 2016-02-29 15:12:09.543 0.000 6 40.76.70.58:1168 -> x.x..24:22 ...... 1 2016-02-29 15:12:09.925 0.000 6 40.76.70.58:1169 -> x.x..24:22 ...... 1 2016-02-29 15:17:05.920 0.000 6 40.76.70.58:1168 -> x.x.243:22 ...... 1 2016-02-29 15:17:06.241 0.000 6 40.76.70.58:1169 -> x.x.243:22 ...... 1 2016-02-29 15:19:21.364 0.000 6 40.83.121.211:62936 -> x.x..81:22 ...... 1 2016-02-29 15:19:21.704 0.000 6 40.83.121.211:62937 -> x.x..81:22 ...... 1 2016-02-29 15:19:45.891 0.000 6 40.76.70.58:1168 -> x.x..39:22 ...... 1 2016-02-29 15:19:46.273 0.000 6 40.76.70.58:1169 -> x.x..39:22 ...... 1 2016-02-29 15:21:52.030 0.000 6 40.76.70.58:1168 -> x.x.120:22 ...... 1 2016-02-29 15:21:52.349 0.000 6 40.76.70.58:1169 -> x.x.120:22 ...... 1 2016-02-29 15:24:07.614 0.000 6 40.76.55.204:1048 -> x.x.237:22 ...... 1 2016-02-29 15:24:07.933 0.000 6 40.76.55.204:1128 -> x.x.237:22 ...... 1 2016-02-29 15:27:31.289 0.000 6 40.121.53.153:1041 -> x.x.133:22 ...... 1 2016-02-29 15:27:31.544 0.000 6 40.121.53.153:1042 -> x.x.133:22 ...... 1 2016-02-29 15:27:59.120 0.000 6 40.76.70.58:1168 -> x.x.9.3:22 ...... 1 2016-02-29 15:27:59.440 0.000 6 40.76.70.58:1169 -> x.x.9.3:22 ...... 1 2016-02-29 15:29:30.933 0.000 6 40.76.70.58:1168 -> x.x.211:22 ...... 1 2016-02-29 15:29:31.031 0.000 6 40.76.70.58:1169 -> x.x.211:22 ...... 1 2016-02-29 15:29:33.729 0.000 6 40.76.55.204:1142 -> x.x.166:22 ...... 1 2016-02-29 15:29:34.032 0.000 6 40.76.55.204:1143 -> x.x.166:22 ...... 1 2016-02-29 15:31:41.947 0.000 6 40.76.70.58:1168 -> x.x.137:22 ...... 1 2016-02-29 15:31:42.266 0.000 6 40.76.70.58:1169 -> x.x.137:22 ...... 1 2016-02-29 15:32:10.044 0.000 6 40.121.53.153:1041 -> x.x..71:22 ...... 1 2016-02-29 15:32:10.348 0.000 6 40.121.53.153:1042 -> x.x..71:22 ...... 1 2016-02-29 15:32:10.442 0.000 6 104.45.210.69:1161 -> x.x.246:22 ...... 1 2016-02-29 15:32:10.475 0.000 6 104.45.210.69:1160 -> x.x.246:22 ...... 1 2016-02-29 15:32:29.165 0.000 6 40.121.143.132:1040 -> x.x..62:22 ...... 1 2016-02-29 15:32:29.466 0.000 6 40.121.143.132:1041 -> x.x..62:22 ...... 1 2016-02-29 15:37:07.616 0.000 6 40.76.80.17:56902 -> x.x..51:22 ...... 1 2016-02-29 15:37:07.925 0.000 6 40.76.80.17:56903 -> x.x..51:22 ...... 1 2016-02-29 15:40:04.546 0.000 6 40.121.53.153:1041 -> x.x.186:22 ...... 1 2016-02-29 15:40:04.866 0.000 6 40.121.53.153:1042 -> x.x.186:22 ...... 1 2016-02-29 15:40:28.870 0.000 6 40.76.70.58:1168 -> x.x.171:22 ...... 1 2016-02-29 15:40:29.125 0.000 6 40.76.70.58:1169 -> x.x.171:22 ...... 1 2016-02-29 15:41:57.034 0.000 6 40.76.55.204:1128 -> x.x.181:22 ...... 1 2016-02-29 15:41:57.354 0.000 6 40.76.55.204:1176 -> x.x.181:22 ...... 1
2016-02-29 16:55:49.183 0.000 6 40.117.96.192:1120 -> x.x.163:22 ...... 1 2016-02-29 16:55:49.183 0.000 6 40.117.96.192:1120 -> x.x.176:22 ...... 1 2016-02-29 16:55:49.183 0.000 6 40.117.96.192:1120 -> x.x.206:22 ...... 1 2016-02-29 16:55:49.183 0.000 6 40.117.96.192:1120 -> x.x.158:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.185:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.251:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.255:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.141:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.136:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.235:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.242:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.240:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.100:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.244:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.217:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x..72:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.221:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.5.4:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.150:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.145:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.119:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x..52:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x..75:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.127:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x..22:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x..77:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.246:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.137:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x..85:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x..35:22 ...... 1
Oh and, I’m assuming you contacted Microsoft’s abuse? If not, it’s not cool, not to mention unprofessional, to publicly call them out on such a public forum without giving them an opportunity to correct it first.
On Mar 31, 2016, at 1:15 AM, Todd Crane <todd.crane@n5tech.com> wrote:
Marcel
Depending on what is on those machines, I would just recommend using fail2ban. The default is that if an ip address fails ssh auth 3 times in 5 minutes, their ip gets blocked via iptables for 5 minutes. This is enough to thwart most scripted attacks, especially those from a certain government in Asia. This is configurable to various applications, timing schemes, and blocking/jailing mechanisms.
-Todd
On Mar 31, 2016, at 1:02 AM, marcel.duregards--- via NANOG <nanog@nanog.org> wrote:
Dear Nanog'er,
We are facing a lot of port scan and brute force attack on port 22 (but not limited to) from Microsoft AS 8075 range toward our own infra, or toward our customers. We have sent email to abuse@microsoft.com, but no answer.
source ip are: NetRange: 40.74.0.0 - 40.125.127.255 CIDR: 40.74.0.0/15, 40.112.0.0/13, 40.124.0.0/16, 40.76.0.0/14, 40.80.0.0/12, 40.125.0.0/17, 40.96.0.0/12, 40.120.0.0/14 NetName: MSFT
We consider port scan and brute force on ssh port as an attack, and even as a pre-DDOS phase (could be use to install botnet, detect unpatched host, and so one).
It's one thing to propose services and make money over an infra, it's an other thing to take care that you clients do not use this infra to make illegal stuffs.
How do you deal with such massive amount of 'illegal' traffic ?
Thank, Best Regards Marcel
He are some examples (we have more than 3000 such packets per day just from them, probably Azure), and source ip is always differents of course:
Flow Filtering Expression src AS 8075 and dst port 22 and packets=1 Limit Flows 40000 Sorting By Date
Date_first_seen Duration Proto _IP_Addr:Port Dst_IP_Addr:Port Flags Packets 2016-02-29 14:55:20.108 0.000 6 104.45.210.69:1160 -> x.x.231:22 ...... 1 2016-02-29 14:55:20.611 0.000 6 104.45.210.69:1161 -> x.x.231:22 ...... 1 2016-02-29 14:56:41.004 0.000 6 40.76.55.204:1090 -> x.x..14:22 ...... 1 2016-02-29 14:56:41.324 0.000 6 40.76.55.204:1091 -> x.x..14:22 ...... 1 2016-02-29 15:00:05.670 0.000 6 40.76.55.204:1088 -> x.x.125:22 ...... 1 2016-02-29 15:00:06.003 0.000 6 40.76.55.204:1089 -> x.x.125:22 ...... 1 2016-02-29 15:01:17.358 0.000 6 40.76.70.58:1168 -> x.x..80:22 ...... 1 2016-02-29 15:01:17.676 0.000 6 40.76.70.58:1169 -> x.x..80:22 ...... 1 2016-02-29 15:02:42.637 0.000 6 40.76.55.204:1176 -> x.x.193:22 ...... 1 2016-02-29 15:02:42.878 0.000 6 40.76.55.204:1177 -> x.x.193:22 ...... 1 2016-02-29 15:02:48.067 0.000 6 104.45.210.69:1160 -> x.x.173:22 ...... 1 2016-02-29 15:02:48.394 0.000 6 104.45.210.69:1161 -> x.x.173:22 ...... 1 2016-02-29 15:03:18.854 0.000 6 40.121.53.153:1041 -> x.x..88:22 ...... 1 2016-02-29 15:03:19.172 0.000 6 40.121.53.153:1042 -> x.x..88:22 ...... 1 2016-02-29 15:06:36.248 0.000 6 40.76.55.204:1056 -> x.x..45:22 ...... 1 2016-02-29 15:07:31.882 0.000 6 40.76.80.17:44895 -> x.x..75:22 ...... 1 2016-02-29 15:07:32.245 0.000 6 40.76.80.17:44896 -> x.x..75:22 ...... 1 2016-02-29 15:09:08.433 0.000 6 40.76.70.58:1168 -> x.x..31:22 ...... 1 2016-02-29 15:09:08.744 0.000 6 40.76.70.58:1169 -> x.x..31:22 ...... 1 2016-02-29 15:11:45.668 0.000 6 40.76.80.17:47993 -> x.x.157:22 ...... 1 2016-02-29 15:11:45.987 0.000 6 40.76.80.17:47994 -> x.x.157:22 ...... 1 2016-02-29 15:12:09.543 0.000 6 40.76.70.58:1168 -> x.x..24:22 ...... 1 2016-02-29 15:12:09.925 0.000 6 40.76.70.58:1169 -> x.x..24:22 ...... 1 2016-02-29 15:17:05.920 0.000 6 40.76.70.58:1168 -> x.x.243:22 ...... 1 2016-02-29 15:17:06.241 0.000 6 40.76.70.58:1169 -> x.x.243:22 ...... 1 2016-02-29 15:19:21.364 0.000 6 40.83.121.211:62936 -> x.x..81:22 ...... 1 2016-02-29 15:19:21.704 0.000 6 40.83.121.211:62937 -> x.x..81:22 ...... 1 2016-02-29 15:19:45.891 0.000 6 40.76.70.58:1168 -> x.x..39:22 ...... 1 2016-02-29 15:19:46.273 0.000 6 40.76.70.58:1169 -> x.x..39:22 ...... 1 2016-02-29 15:21:52.030 0.000 6 40.76.70.58:1168 -> x.x.120:22 ...... 1 2016-02-29 15:21:52.349 0.000 6 40.76.70.58:1169 -> x.x.120:22 ...... 1 2016-02-29 15:24:07.614 0.000 6 40.76.55.204:1048 -> x.x.237:22 ...... 1 2016-02-29 15:24:07.933 0.000 6 40.76.55.204:1128 -> x.x.237:22 ...... 1 2016-02-29 15:27:31.289 0.000 6 40.121.53.153:1041 -> x.x.133:22 ...... 1 2016-02-29 15:27:31.544 0.000 6 40.121.53.153:1042 -> x.x.133:22 ...... 1 2016-02-29 15:27:59.120 0.000 6 40.76.70.58:1168 -> x.x.9.3:22 ...... 1 2016-02-29 15:27:59.440 0.000 6 40.76.70.58:1169 -> x.x.9.3:22 ...... 1 2016-02-29 15:29:30.933 0.000 6 40.76.70.58:1168 -> x.x.211:22 ...... 1 2016-02-29 15:29:31.031 0.000 6 40.76.70.58:1169 -> x.x.211:22 ...... 1 2016-02-29 15:29:33.729 0.000 6 40.76.55.204:1142 -> x.x.166:22 ...... 1 2016-02-29 15:29:34.032 0.000 6 40.76.55.204:1143 -> x.x.166:22 ...... 1 2016-02-29 15:31:41.947 0.000 6 40.76.70.58:1168 -> x.x.137:22 ...... 1 2016-02-29 15:31:42.266 0.000 6 40.76.70.58:1169 -> x.x.137:22 ...... 1 2016-02-29 15:32:10.044 0.000 6 40.121.53.153:1041 -> x.x..71:22 ...... 1 2016-02-29 15:32:10.348 0.000 6 40.121.53.153:1042 -> x.x..71:22 ...... 1 2016-02-29 15:32:10.442 0.000 6 104.45.210.69:1161 -> x.x.246:22 ...... 1 2016-02-29 15:32:10.475 0.000 6 104.45.210.69:1160 -> x.x.246:22 ...... 1 2016-02-29 15:32:29.165 0.000 6 40.121.143.132:1040 -> x.x..62:22 ...... 1 2016-02-29 15:32:29.466 0.000 6 40.121.143.132:1041 -> x.x..62:22 ...... 1 2016-02-29 15:37:07.616 0.000 6 40.76.80.17:56902 -> x.x..51:22 ...... 1 2016-02-29 15:37:07.925 0.000 6 40.76.80.17:56903 -> x.x..51:22 ...... 1 2016-02-29 15:40:04.546 0.000 6 40.121.53.153:1041 -> x.x.186:22 ...... 1 2016-02-29 15:40:04.866 0.000 6 40.121.53.153:1042 -> x.x.186:22 ...... 1 2016-02-29 15:40:28.870 0.000 6 40.76.70.58:1168 -> x.x.171:22 ...... 1 2016-02-29 15:40:29.125 0.000 6 40.76.70.58:1169 -> x.x.171:22 ...... 1 2016-02-29 15:41:57.034 0.000 6 40.76.55.204:1128 -> x.x.181:22 ...... 1 2016-02-29 15:41:57.354 0.000 6 40.76.55.204:1176 -> x.x.181:22 ...... 1
2016-02-29 16:55:49.183 0.000 6 40.117.96.192:1120 -> x.x.163:22 ...... 1 2016-02-29 16:55:49.183 0.000 6 40.117.96.192:1120 -> x.x.176:22 ...... 1 2016-02-29 16:55:49.183 0.000 6 40.117.96.192:1120 -> x.x.206:22 ...... 1 2016-02-29 16:55:49.183 0.000 6 40.117.96.192:1120 -> x.x.158:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.185:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.251:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.255:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.141:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.136:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.235:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.242:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.240:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.100:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.244:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x.217:22 ...... 1 2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 -> x.x..72:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.221:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.5.4:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.150:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.145:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.119:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x..52:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x..75:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.127:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x..22:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x..77:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.246:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x.137:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x..85:22 ...... 1 2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 -> x.x..35:22 ...... 1
I can not blame them to not answer to all of the thousands emails destined to their abuse mailbox. And the goal of my email was not to call them on public forum, but rather to know how others ops deal with it, and also if MS (and competitors) have automatic detection of such 'illegal' traffic, and if not why ?.... On 31.03.2016 10:18, Todd Crane wrote:
Oh and,
I’m assuming you contacted Microsoft’s abuse? If not, it’s not cool, not to mention unprofessional, to publicly call them out on such a public forum without giving them an opportunity to correct it first.
On Mar 31, 2016, at 1:15 AM, Todd Crane <todd.crane@n5tech.com> wrote:
Marcel
Depending on what is on those machines, I would just recommend using fail2ban. The default is that if an ip address fails ssh auth 3 times in 5 minutes, their ip gets blocked via iptables for 5 minutes. This is enough to thwart most scripted attacks, especially those from a certain government in Asia. This is configurable to various applications, timing schemes, and blocking/jailing mechanisms.
-Todd
On Mar 31, 2016, at 1:02 AM, marcel.duregards--- via NANOG <nanog@nanog.org> wrote:
Dear Nanog'er,
We are facing a lot of port scan and brute force attack on port 22 (but not limited to) from Microsoft AS 8075 range toward our own infra, or toward our customers. We have sent email to abuse@microsoft.com, but no answer.
source ip are: NetRange: 40.74.0.0 - 40.125.127.255 CIDR: 40.74.0.0/15, 40.112.0.0/13, 40.124.0.0/16, 40.76.0.0/14, 40.80.0.0/12, 40.125.0.0/17, 40.96.0.0/12, 40.120.0.0/14 NetName: MSFT
We consider port scan and brute force on ssh port as an attack, and even as a pre-DDOS phase (could be use to install botnet, detect unpatched host, and so one).
It's one thing to propose services and make money over an infra, it's an other thing to take care that you clients do not use this infra to make illegal stuffs.
How do you deal with such massive amount of 'illegal' traffic ?
Thank, Best Regards Marcel
He are some examples (we have more than 3000 such packets per day just from them, probably Azure), and source ip is always differents of course:
Flow Filtering Expression src AS 8075 and dst port 22 and packets=1 Limit Flows 40000 Sorting By Date
I have noticed this and especially the strange format of the packets with a SYN/ECE/CWR flag combination: http://pastebin.com/jFCDAmdr This may be $whoever trying to establish network performance/congestion via ECN or it could be something else like a fast scan technique or OS fingerprinting On Thu, Mar 31, 2016 at 5:50 AM, marcel.duregards--- via NANOG < nanog@nanog.org> wrote:
I can not blame them to not answer to all of the thousands emails destined to their abuse mailbox. And the goal of my email was not to call them on public forum, but rather to know how others ops deal with it, and also if MS (and competitors) have automatic detection of such 'illegal' traffic, and if not why ?....
On 31.03.2016 10:18, Todd Crane wrote:
Oh and,
I’m assuming you contacted Microsoft’s abuse? If not, it’s not cool, not to mention unprofessional, to publicly call them out on such a public forum without giving them an opportunity to correct it first.
On Mar 31, 2016, at 1:15 AM, Todd Crane <todd.crane@n5tech.com> wrote:
Marcel
Depending on what is on those machines, I would just recommend using fail2ban. The default is that if an ip address fails ssh auth 3 times in 5 minutes, their ip gets blocked via iptables for 5 minutes. This is enough to thwart most scripted attacks, especially those from a certain government in Asia. This is configurable to various applications, timing schemes, and blocking/jailing mechanisms.
-Todd
On Mar 31, 2016, at 1:02 AM, marcel.duregards--- via NANOG < nanog@nanog.org> wrote:
Dear Nanog'er,
We are facing a lot of port scan and brute force attack on port 22 (but not limited to) from Microsoft AS 8075 range toward our own infra, or toward our customers. We have sent email to abuse@microsoft.com, but no answer.
source ip are: NetRange: 40.74.0.0 - 40.125.127.255 CIDR: 40.74.0.0/15, 40.112.0.0/13, 40.124.0.0/16, 40.76.0.0/14, 40.80.0.0/12, 40.125.0.0/17, 40.96.0.0/12, 40.120.0.0/14 NetName: MSFT
We consider port scan and brute force on ssh port as an attack, and even as a pre-DDOS phase (could be use to install botnet, detect unpatched host, and so one).
It's one thing to propose services and make money over an infra, it's an other thing to take care that you clients do not use this infra to make illegal stuffs.
How do you deal with such massive amount of 'illegal' traffic ?
Thank, Best Regards Marcel
He are some examples (we have more than 3000 such packets per day just from them, probably Azure), and source ip is always differents of course:
Flow Filtering Expression src AS 8075 and dst port 22 and packets=1 Limit Flows 40000 Sorting By Date
On Thu, Mar 31, 2016 at 4:41 AM, DV <iamzam@gmail.com> wrote:
I have noticed this and especially the strange format of the packets with a SYN/ECE/CWR flag combination: http://pastebin.com/jFCDAmdr
This may be $whoever trying to establish network performance/congestion via ECN or it could be something else like a fast scan technique or OS fingerprinting
It's OS fingerprinting. Targeted attacks are far more productive. If I'm trying to get into an organization, I'd much rather be interested in Juniper ScreenOS than someone's personal *nix machine. Brandon Vincent
They should always just use Shodan. https://www.shodan.io/explore On 4 April 2016 at 05:54, Brandon Vincent <Brandon.Vincent@asu.edu> wrote:
On Thu, Mar 31, 2016 at 4:41 AM, DV <iamzam@gmail.com> wrote:
I have noticed this and especially the strange format of the packets with a SYN/ECE/CWR flag combination: http://pastebin.com/jFCDAmdr
This may be $whoever trying to establish network performance/congestion via ECN or it could be something else like a fast scan technique or OS fingerprinting
It's OS fingerprinting. Targeted attacks are far more productive. If I'm trying to get into an organization, I'd much rather be interested in Juniper ScreenOS than someone's personal *nix machine.
Brandon Vincent
-- BaconZombie 55:55:44:44:4C:52:4C:52:42:41 LOAD "*",8,1
On 31/03/2016 10:02, marcel.duregards--- via NANOG wrote:
We are facing a lot of port scan and brute force attack on port 22 (but not limited to)
Maybe not super useful in your case but talking about SSH the sysadmin solution would be to disable password login and use just keys. Also, as someone else said, fail2ban... because it's a lot of fun. :) Ciao, Davide
On Thu, 31 Mar 2016 10:02:05 +0200, "marcel.duregards--- via NANOG" said:
We consider port scan and brute force on ssh port as an attack, and even
So explain to me why you don't have ACLs that silently drop inbound SYN packets on port 22 from outside your allocated address space? (And if you can't do it at your border because you sub-allocate address space to customers, figure out how to use iptables or similar to block it on the target hosts, or only apply the ACL for your own subnets). If you have a *legitimate* business case for needing to SSH in from outside, there are fine products such as OpenVPN (and not-so-fine like the one we have in production - although it's mostly usable too, and achieves the goal of presenting you as being inside our corporate address space) Also, move your SSH service to some port other than 22, and consider putting 'Password Authentication no/PubKeyAuthentication yes' in your sshd_config. I admit never understanding why people run their systems in a low-hanging fruit configuration, and then are surprised that miscreants go looking for low hanging fruit. (For the record, our border routers drop inbound SYN on port 22 on *both* ipv4 and ipv6 address spaces. It's amazing how few brute force attempts we see on our servers... :)
You could use Shields Up to view your vulnerabilities... obvious ones, and remedy... Cyrus Ramirez On Thursday, March 31, 2016 10:21 AM, "Valdis.Kletnieks@vt.edu" <Valdis.Kletnieks@vt.edu> wrote: On Thu, 31 Mar 2016 10:02:05 +0200, "marcel.duregards--- via NANOG" said:
We consider port scan and brute force on ssh port as an attack, and even
So explain to me why you don't have ACLs that silently drop inbound SYN packets on port 22 from outside your allocated address space? (And if you can't do it at your border because you sub-allocate address space to customers, figure out how to use iptables or similar to block it on the target hosts, or only apply the ACL for your own subnets). If you have a *legitimate* business case for needing to SSH in from outside, there are fine products such as OpenVPN (and not-so-fine like the one we have in production - although it's mostly usable too, and achieves the goal of presenting you as being inside our corporate address space) Also, move your SSH service to some port other than 22, and consider putting 'Password Authentication no/PubKeyAuthentication yes' in your sshd_config. I admit never understanding why people run their systems in a low-hanging fruit configuration, and then are surprised that miscreants go looking for low hanging fruit. (For the record, our border routers drop inbound SYN on port 22 on *both* ipv4 and ipv6 address spaces. It's amazing how few brute force attempts we see on our servers... :)
hi nanog'ers On 03/31/16 at 10:20am, Valdis.Kletnieks@vt.edu wrote:
On Thu, 31 Mar 2016 10:02:05 +0200, "marcel.duregards--- via NANOG" said:
We consider port scan and brute force on ssh port as an attack, and even
...
(For the record, our border routers drop inbound SYN on port 22 on *both* ipv4 and ipv6 address spaces. It's amazing how few brute force attempts we see on our servers... :)
i think the best way, ( imho ) to discourage random incoming ssh connections or anything else ( tcp-based ) is to run tarpit on ALL tcp based ports ... one obviously would allow incoming 25/tcp traffic to mail servers and incoming 80/tcp to web servers, etc etc, but otherwise, all other incoming tcp ports gets unconditionally tarpit'd we used to get hundreds of thousands of garbage tcp connections per minute which basically disappeared after running tarpits as needed and the attackers ( port scanners ) pay a penalty for sending useless packets to tarpit'd ports fail2ban/etc is okay but it's too limited since i want to deny all tcp connections and specifically only allow certain incoming traffic which is trivial to implement with iptables + tarpits /dev/null incoming packets is okay but it still occupied time/space/buffers in the pipe and the attackers didn't feel any pain for sending the packets doing ddos mitigation for your own IP# space is fairly easy to create various policies ... doing the ddos mitigation for your customers down the line using your routers can be tricky business and very messy if either the customer nor isp doesn't change something ( aka more $$$ ) magic pixie dust alvin DDoS-Mitigator.net
participants (11)
-
alvin nanog
-
Bacon Zombie
-
Brandon Vincent
-
cyrus ramirez
-
Davide Davini
-
DV
-
Joe Klein
-
marcel.duregards@yahoo.fr
-
Robert Kisteleki
-
Todd Crane
-
Valdis.Kletnieks@vt.edu