Kitz Forum

Computer Software => Security => Topic started by: Weaver on June 01, 2019, 04:30:36 PM

Title: Attack
Post by: Weaver on June 01, 2019, 04:30:36 PM
I am getting ~15 TCP connect attempts per second coming from, to random destination addresses, random destination ports not likely sensible ones. That source address isnít changing. Peak Iíve seen so far was 24 packets in a second. I averaged it at 150 packets over ten seconds.

Hereís the whois for that address. Note the postal address!

Code: [Select]
% This is the RIPE Database query service.
% The objects are in RPSL format.
% The RIPE Database is subject to Terms and Conditions.
% See

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to ' -'

% Abuse contact for ' -' is ''

inetnum: -
netname:        VITOX-TLN-DE-01
descr:          VITOX TELECOM
country:        DE
geoloc:         49.452 11.0768
org:            ORG-VTX1-RIPE
admin-c:        VTX2-RIPE
tech-c:         VTX2-RIPE
status:         ASSIGNED PA
mnt-by:         VITOX-MNT
created:        2019-02-27T15:20:23Z
last-modified:  2019-03-14T05:17:44Z
source:         RIPE

organisation:   ORG-VTX1-RIPE
org-name:       VITOX TELECOM
org-type:       OTHER
address:        1, Mangu Panna, Village Jaunti, Delhi 110081 India and NETHERLANDS
geoloc:         52.6921234 6.1937187
abuse-c:        VTX2-RIPE
mnt-ref:        VITOX-MNT
mnt-by:         VITOX-MNT
created:        2019-02-27T13:42:38Z
last-modified:  2019-03-13T16:52:42Z
source:         RIPE # Filtered

role:           VITOX TELECOM NOC
address:        1, Mangu Panna, Village Jaunti, Delhi 110081 India
address:        Netherlands
nic-hdl:        VTX2-RIPE
mnt-by:         VITOX-MNT
created:        2019-02-27T13:41:10Z
last-modified:  2019-03-01T15:55:32Z
source:         RIPE # Filtered

% Information related to ''

descr:          VITOX TELECOM
origin:         AS209299
mnt-by:         VITOX-MNT
created:        2019-03-01T15:58:43Z
last-modified:  2019-03-13T17:00:40Z
source:         RIPE

% This query was served by the RIPE Database Query Service version 1.94 (BLAARKOP)

These packets are all silently dropped by my Firebrick firewall, but I have already been charged for the bytes and it has eaten a small amount of my bandwidth.

Any thoughts? This is, what, 4800 bps ? ( = 15 * 40 * 8 bits ) Do I need to do anything about it ?

I have already talked briefly to AA about it. I also emailed the abuse contact listed and complained.

I am continuing to keep an eye on it. An hour or so later it was still going on.

I need some pest control. Some sort of spray.
Title: Re: Attack
Post by: burakkucat on June 01, 2019, 05:26:45 PM
Vitox Telecom. Various end-points; pops; VPNs, etc.

The co-ordinates given map to the Netherlands ('31.6%22N+6%C2%B011'37.4%22E/@52.6921234,6.1937187,17z/data=!3m1!4b1!4m5!3m4!1s0x0:0x0!8m2!3d52.6921234!4d6.1937187?hl=en).

Code: [Select]
[bcat ~]$ nmap -p0-

Starting Nmap 5.51 ( ) at 2019-06-01 17:17 BST
Nmap scan report for
Host is up (0.082s latency).
Not shown: 65534 closed ports
22/tcp   open     ssh
7547/tcp filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 94.59 seconds
[bcat ~]$

Would A&A be able to drop all traffic from that IP address so that it does not reach you?
Title: Re: Attack
Post by: burakkucat on June 01, 2019, 06:17:24 PM
It seems that IPv4 address is well-known ( for abuse.  >:(
Title: Re: Attack
Post by: Weaver on June 01, 2019, 06:55:12 PM
They didnít seem very keen. I suggested a black hole route that is on a /32, and qualify it with a condition && dest = me as well as on the source address. I said I will keep an eye on it and come back to them if it gets worse.

Good tip, I had forgotten about that useful website btw.

I took another look a few hours later and it doesnít seem to be going anywhere.
Title: Re: Attack
Post by: CarlT on June 02, 2019, 10:41:20 AM
They aren't going to want to start messing with routes like that. That's not a normal route that's a policy based one and no ISP wants those anywhere near their core or transport networks.

The major issue is that it's not really service affecting. It would be lost to pretty much everyone as background noise. If they were saturating your links and denying you service that would be different. A few kilobits per second is probably a scan. These happen constantly to all of us to one degree or another.

Just FYI a black hole route would be on your IP. Dropping traffic heading to you at their network edge. Sure you want them to do that for a few kilobits per second?

[Moderator edited to merge two successive posts into one.]
Title: Re: Attack
Post by: Chrysalis on June 02, 2019, 04:49:58 PM
Carl is right, what you can do to at least ensure the affect on you is minimised in terms of cpu power and upstream bandwidth is to configure your network so you dont reply to the syn's, but I would leave it at that, dont bother aaisp with filtering requests.

When I was setting up my walled garden lan block, I temporarily added a logging flag to the block rule, and started seeing things like denied requests from webservers, and that was been caused by my smartphone not closing tcp sessions properly by some apps.  Its just basic low level noise.
Title: Re: Attack
Post by: Weaver on June 03, 2019, 01:55:57 AM
I was really just asking what is possible. I have a router dealing with me in osrtifuckar because itís handling my four-way split. So I wondered if it was easy to add things in in future if it became a serious problem. The point is this is costing me money, whereas it wouldnít cost you anything, apart from bandwidth. I pay for downstream bytes and, in the case of 4G, upstream as well. So if this started to become a serious thing then it could eat up all my money. Iím keeping an eye on it in case it starts extending to the 4G links too.

AA talked to me about setting up a Firebrick FB2900 at their end and putting my traffic through that. I am told that a small number of customers do this already.
Title: Re: Attack
Post by: Chrysalis on June 03, 2019, 08:50:43 AM
wont that firebrick cost money tho?
Title: Re: Attack
Post by: Weaver on June 03, 2019, 10:01:07 AM
I have seen an AA webpage somewhere that shows hosting / colo charges. Firebrick hosting is pretty cheap per month compared to the usual servers, because their power consumption is very low.

I was thinking about writing an alarm program which checks the amount of traffic that I am getting in from nuisance sources. The AA control server wont be of much help because although it can count usage, it canít distinguish legitimate traffic from nuisance traffic, and I donít see how it could be configured to do so. I was thinking about getting the Firebrick to do some kind of event counting and then extract the info from the brick remotely. But there is a lot of work to do and I would really need to write it for my raspberry pi since that is running continuously so the monitoring will always be active.
Title: Re: Attack
Post by: Chrysalis on June 03, 2019, 02:34:08 PM
But surely that will cost more than traffic occasionally seen for a few kb/sec?
Title: Re: Attack
Post by: d2d4j on June 03, 2019, 02:42:48 PM

I could be wrong but I think you would still use your bandwidth usage no matter where the FB was placed, because AA would still transfer traffic to the FB the only difference would be you paying more for a service you do not need

Many thanks

Title: Re: Attack
Post by: Weaver on June 03, 2019, 11:54:04 PM
Quite so. Things would be different if the level of traffic got very bad so that bandwidth loss became a problem, or if we were talking about racking up a bill because of a 4G link being really hosed. All Iím thinking about right now is how best to keep an eye on a potential problem.

It would be nice if the recipient of the abuse email contact were to actually do something, seriously look into it.
Title: Re: Attack
Post by: CarlT on June 04, 2019, 02:20:18 AM
No chance. Your complaint probably went straight into a deleted items folder.
Title: Re: Attack
Post by: Weaver on June 04, 2019, 02:28:59 AM
Indeed so. There needs to be some pressure on operators of networks who are hosting abusers. AA had a user some while back who got hosed causing big problems for everyone concerned.
Title: Re: Attack
Post by: d2d4j on June 04, 2019, 08:11:31 AM

I think your making an issue where one does not exist sorry

Your FB is doing its job and dropping (make sure you do not alter this too much but you should be able to change the package per second  before drop kicking in - but go careful you do not lower too much or you will cause yourselves issues)

You are also not showing any other attacks and there will be many

If an attacker should attempt a full ddos, I would expect AA to null the attack at their access level as they would be monitoring for ddos

The only reason your bandwidth usage would increase due to these attacks, would be if you were running services open to world from your connection (eg hosting or email servers etc including dns servers) or if one of your devices were infected and this was been used. In that instance, you would notice by a reduced throughput of Internet

4g would be included above

Many thanks

Title: Re: Attack
Post by: Weaver on June 04, 2019, 10:18:16 PM
@d2d4j I completely agree with you. I agree no Ďissue existsí. It merely made me think ahead and realise that I donít know what is going on.