I had this on just ONE of my servers last night --------------------- iptables firewall Begin ------------------------ Logged 54220 packets on interface eth0 From 46.21.161.37 - 45 packets to tcp(22) From 50.30.35.41 - 90 packets to tcp(22) From 58.30.229.98 - 45 packets to tcp(22) From 58.225.75.228 - 45 packets to tcp(22) From 75.99.120.194 - 17978 packets to tcp(25) From 78.60.146.192 - 45 packets to tcp(22) From 93.115.175.105 - 17982 packets to tcp(25) From 114.80.125.211 - 17685 packets to tcp(25) From 115.238.101.39 - 45 packets to tcp(22) From 188.241.179.171 - 45 packets to tcp(22) From 202.136.60.142 - 45 packets to tcp(22) From 202.171.42.162 - 34 packets to tcp(25) From 203.114.114.181 - 1 packet to tcp(22) From 210.15.239.58 - 90 packets to tcp(25) From 222.73.219.164 - 45 packets to tcp(22) ---------------------- iptables firewall End -------------------------
At 11:57 PM 4/8/2013, you wrote: >Some observations: > >Up until the recent flap over DNS attacks, I had observed that while the >numbers of different bogus queries attempting to do amplification attacks >were relatively small, and generally limited to a handful of 'target' IPs, >and the same query was made continuously with the same source IPs for >hours or days, clearly a focused attack at those targets. > >That's all changed around the beginning of the year. Now, it's a >monsterously huge number of source IPs from all over the map. By >contrast, most of these queries are not being attempted more than a >handfull of times, then the source IP changes every few minutes, and >apparently 'cycles' though a slowly repeating lists. > >Also, the queries, which often had varying domains such as isc.org, most >named ones are now for "deniedstresser.com". The vast majority are now >just 'ANY'. > >Just a quick grep of source IPs doing 'ANY' attempts over the last 24 >hours shows 1157 *different* IPs hitting just one DNS server here. Of >course The total number of query *attempts* is way higher than that. > >The IPs are often not just commercial sites, but even DSL or cable >addresses of apparent home users. So it appears now, the goal may not be >just a single target machine, but rather attempt to just flood and degrade >entire networks. > >I'm curious about what others are seeing. > >=^_^= Tigerwolf >_______________________________________________ >Blueonyx mailing list >Blueonyx@mail.blueonyx.it >http://mail.blueonyx.it/mailman/listinfo/blueonyx > > >----- >No virus found in this message. >Checked by AVG - www.avg.com >Version: 2012.0.2240 / Virus Database: 2641/5688 - Release Date: 03/19/13 >Internal Virus Database is out of date. _______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx