Computer Software > Security

Attack

(1/4) > >>

Weaver:
I am getting ~15 TCP connect attempts per second coming from 77.247.108.71, to random destination addresses, random destination ports not likely sensible ones. That source address isn’t changing. Peak I’ve seen so far was 24 packets in a second. I averaged it at 150 packets over ten seconds.

Here’s the whois for that address. Note the postal address!


--- Code: ---% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '77.247.108.0 - 77.247.108.255'

% Abuse contact for '77.247.108.0 - 77.247.108.255' is 'abuse@vitox.in'

inetnum:        77.247.108.0 - 77.247.108.255
netname:        VITOX-TLN-DE-01
descr:          VITOX TELECOM
country:        DE
geoloc:         49.452 11.0768
org:            ORG-VTX1-RIPE
admin-c:        VTX2-RIPE
tech-c:         VTX2-RIPE
status:         ASSIGNED PA
mnt-by:         VITOX-MNT
created:        2019-02-27T15:20:23Z
last-modified:  2019-03-14T05:17:44Z
source:         RIPE

organisation:   ORG-VTX1-RIPE
org-name:       VITOX TELECOM
org-type:       OTHER
address:        1, Mangu Panna, Village Jaunti, Delhi 110081 India and NETHERLANDS
address:        NETHERLANDS ICELAND ROMANIA EUROPE
geoloc:         52.6921234 6.1937187
abuse-c:        VTX2-RIPE
mnt-ref:        VITOX-MNT
mnt-by:         VITOX-MNT
created:        2019-02-27T13:42:38Z
last-modified:  2019-03-13T16:52:42Z
source:         RIPE # Filtered

role:           VITOX TELECOM NOC
address:        1, Mangu Panna, Village Jaunti, Delhi 110081 India
address:        Netherlands
abuse-mailbox:  abuse@vitox.in
nic-hdl:        VTX2-RIPE
mnt-by:         VITOX-MNT
created:        2019-02-27T13:41:10Z
last-modified:  2019-03-01T15:55:32Z
source:         RIPE # Filtered

% Information related to '77.247.108.0/24AS209299'

route:          77.247.108.0/24
descr:          VITOX TELECOM
origin:         AS209299
mnt-by:         VITOX-MNT
created:        2019-03-01T15:58:43Z
last-modified:  2019-03-13T17:00:40Z
source:         RIPE

% This query was served by the RIPE Database Query Service version 1.94 (BLAARKOP)

--- End code ---

These packets are all silently dropped by my Firebrick firewall, but I have already been charged for the bytes and it has eaten a small amount of my bandwidth.

Any thoughts? This is, what, 4800 bps ? ( = 15 * 40 * 8 bits ) Do I need to do anything about it ?

I have already talked briefly to AA about it. I also emailed the abuse contact listed and complained.

I am continuing to keep an eye on it. An hour or so later it was still going on.

I need some pest control. Some sort of spray.

burakkucat:
Vitox Telecom. Various end-points; pops; VPNs, etc.

The co-ordinates given map to the Netherlands.


--- Code: ---[bcat ~]$ nmap -p0- 77.247.108.71

Starting Nmap 5.51 ( http://nmap.org ) at 2019-06-01 17:17 BST
Nmap scan report for 77.247.108.71
Host is up (0.082s latency).
Not shown: 65534 closed ports
PORT     STATE    SERVICE
22/tcp   open     ssh
7547/tcp filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 94.59 seconds
[bcat ~]$

--- End code ---

Would A&A be able to drop all traffic from that IP address so that it does not reach you?

burakkucat:
It seems that IPv4 address is well-known for abuse.  >:(

Weaver:
They didn’t seem very keen. I suggested a black hole route that is on a /32, and qualify it with a condition && dest = me as well as on the source address. I said I will keep an eye on it and come back to them if it gets worse.

Good tip, I had forgotten about that useful website btw.

I took another look a few hours later and it doesn’t seem to be going anywhere.

niemand:
They aren't going to want to start messing with routes like that. That's not a normal route that's a policy based one and no ISP wants those anywhere near their core or transport networks.

The major issue is that it's not really service affecting. It would be lost to pretty much everyone as background noise. If they were saturating your links and denying you service that would be different. A few kilobits per second is probably a scan. These happen constantly to all of us to one degree or another.

Just FYI a black hole route would be on your IP. Dropping traffic heading to you at their network edge. Sure you want them to do that for a few kilobits per second?

[Moderator edited to merge two successive posts into one.]

Navigation

[0] Message Index

[#] Next page