Re: how to deal with port scan and brute force attack from AS 8075 ?

[Owen DeLong]

> On Apr 11, 2016, at 12:12 , William Herrin  wrote:
> 
> On Mon, Apr 11, 2016 at 2:18 PM, Owen DeLong  wrote:
>> On Apr 7, 2016, at 07:41 , William Herrin  wrote:
>> On Thu, Mar 31, 2016 at 5:36 AM, Bacon Zombie  wrote:
>> 
>> I would ignore the portscans since there is nothing wrong with portscanning
>> the Internet.
>> 
>> You might want to check with your lawyer on that. If you
>> _intentionally_ port-scan a computer located in Virginia without the
>> owner's permission (and do nothing else, just port-scan it) it's a
>> class 3 misdemeanor under 18.2-152.1, et seq. That's up to a $500 fine
>> for each computer you scan. By comparison, shoplifting is a class 1
>> misdemeanor while possession of a schedule V narcotic is another class
>> 3.
>> 
>> I think you’re on shaky ground here.
>> 
>> 18.2-152.3 reads:
> 
> That's computer fraud. You want § 18.2-152.4, computer trespass.

I worked forward (et. seq.) from where you started… However…

18.2-152.4 
. 
Computer trespass; penalty.

A. It shall be unlawful for any person, with malicious intent, to:

1. Temporarily or permanently remove, halt, or otherwise disable any 
computerdata, computer programs or computer software from a computer or 
computernetwork;

2. Cause a computer to malfunction, regardless of how long the 
malfunctionpersists;

3. Alter, disable, or erase any computer data, computer programs or 
computersoftware;

4. Effect the creation or alteration of a financial instrument or of 
anelectronic transfer of funds;

5. Use a computer or computer network to cause physical injury to theproperty 
of another; or

6. Use a computer or computer network to make or cause to be made 
anunauthorized copy, in any form, including, but not limited to, any printed 
orelectronic form of computer data, computer programs or computer 
softwareresiding in, communicated by, or produced by a computer or computer 
network.

7. [Repealed.]

B. Any person who violates this section shall be guilty of computer 
trespass,which offense shall be punishable as a Class 1 misdemeanor. If there 
isdamage to the property of another valued at $1,000 or more caused by 
suchperson's act in violation of this section, the offense shall be punishable 
asa Class 6 felony.

C. Nothing in this section shall be construed to interfere with or 
prohibitterms or conditions in a contract or license related to computers, 
computerdata, computer networks, computer operations, computer programs, 
computerservices, or computer software or to create any liability by reason of 
termsor conditions adopted by, or technical measures implemented by, 
aVirginia-based electronic mail service provider to prevent the transmissionof 
unsolicited electronic mail in violation of this article. Nothing in 
thissection shall be construed to prohibit the monitoring of computer usage 
of,the otherwise lawful copying of data of, or the denial of computer 
orInternet access to a minor by a parent or legal guardian of the minor.

Doesn’t really seem to fit the bill, either.

First, I think you have a hard time proving “malicious intent” from just a port 
scan without other activity.

However, even if you do, it’s hard to imagine how a port scan would meet any of 
the 6 tests stated.

Care to try again?

Owen

Re: how to deal with port scan and brute force attack from AS 8075 ?

[William Herrin]

On Mon, Apr 11, 2016 at 2:18 PM, Owen DeLong  wrote:
> On Apr 7, 2016, at 07:41 , William Herrin  wrote:
> On Thu, Mar 31, 2016 at 5:36 AM, Bacon Zombie  wrote:
>
> I would ignore the portscans since there is nothing wrong with portscanning
> the Internet.
>
> You might want to check with your lawyer on that. If you
> _intentionally_ port-scan a computer located in Virginia without the
> owner's permission (and do nothing else, just port-scan it) it's a
> class 3 misdemeanor under 18.2-152.1, et seq. That's up to a $500 fine
> for each computer you scan. By comparison, shoplifting is a class 1
> misdemeanor while possession of a schedule V narcotic is another class
> 3.
>
> I think you’re on shaky ground here.
>
> 18.2-152.3 reads:

That's computer fraud. You want § 18.2-152.4, computer trespass.

-Bill



-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Owner, Dirtside Systems . Web: 

Re: how to deal with port scan and brute force attack from AS 8075 ?

[Jared Mauch]

> On Apr 11, 2016, at 2:18 PM, Owen DeLong  wrote:
> 
> I could be wrong, IANAL, but I’d be surprised if a mere portscan would 
> actually be treated as a violation for the reasons cited above.
> 
>> Not that I've ever heard of someone being fined but you're definitely
>> in to "something wrong" territory.
> 
> I don’t think you’ve made your case for “definite” so far. I agree you might 
> be at risk from an overzealous prosecutor and an activist judge that hates 
> hackers for some reason, but short of that, I think you’re unlikely to run 
> afoul of this statute just on a port scan.
> 

my experience in talking to the DoJ in the US is this is not going to illicit 
any sort of a response.

I will say that the number of people who “set up a tool” to watch for activity 
then claim things like a DNS packet or backscatter from DDoS represent a log-on 
attempt generates the most amusing email to read.

- Jared

Re: how to deal with port scan and brute force attack from AS 8075 ?

[Owen DeLong]

> On Apr 7, 2016, at 07:41 , William Herrin  wrote:
> 
> On Thu, Mar 31, 2016 at 5:36 AM, Bacon Zombie  wrote:
>> I would ignore the portscans since there is nothing wrong with portscanning
>> the Internet.
> 
> You might want to check with your lawyer on that. If you
> _intentionally_ port-scan a computer located in Virginia without the
> owner's permission (and do nothing else, just port-scan it) it's a
> class 3 misdemeanor under 18.2-152.1, et seq. That's up to a $500 fine
> for each computer you scan. By comparison, shoplifting is a class 1
> misdemeanor while possession of a schedule V narcotic is another class
> 3.

I think you’re on shaky ground here.

18.2-152.3 reads:

Any person who uses a computer or computer network, without authority and:
1. Obtains property or services by false pretenses;
2. Embezzles or commits larceny; or
3. Converts the property of another;
is guilty of the crime of computer fraud.
If the value of the property or services obtained is $200 or more, the crime of 
computer fraud shall be punishable as a Class 5 felony. Where the value of the 
property or services obtained is less than $200, the crime of computer fraud 
shall be punishable as a Class 1 misdemeanor.

The requirements here are to meet at least one of the 3 tests listed.

I think it’s rather hard to claim that a portscan by itself “obtained property 
or services by false pretenses”.
I think it’s even harder to claim that it constitutes “embezzling” or “larceny”.
I also think you’d have a tough time arguing that eliciting a response packet 
to one or more packets actually constitutes conversion of property.

So I don’t see how you’d make much of a case for a port-scan being a violation 
of 18.2-152.1 et. seq.

I think the argument, rather easily, could be made that a port-scan is the 
internet equivalent of a door-knock. By itself, it doesn’t constitute unlawful 
entry. Now, a persistent door-knock might constitute some form of harassment 
and frequent or continuous port-scans could be argued to be a form of denial of 
service (which would constitute conversion), but the odd port-scan is unlikely 
to meet the tests under the law you cited.

> A key word here is "intentionally." Poking at it by mistake (e.g. you
> thought it was a different computer which you had the authority to
> scan) is not a crime. Nor, most likely, is less aggressive behavior
> which would not ordinarily be part of gaining unauthorized access,
> such as pinging or tracerouting.

I could be wrong, IANAL, but I’d be surprised if a mere portscan would actually 
be treated as a violation for the reasons cited above.

> Not that I've ever heard of someone being fined but you're definitely
> in to "something wrong" territory.

I don’t think you’ve made your case for “definite” so far. I agree you might be 
at risk from an overzealous prosecutor and an activist judge that hates hackers 
for some reason, but short of that, I think you’re unlikely to run afoul of 
this statute just on a port scan.


Owen

Re: how to deal with port scan and brute force attack from AS 8075 ?

[William Herrin]

On Thu, Mar 31, 2016 at 5:36 AM, Bacon Zombie  wrote:
> I would ignore the portscans since there is nothing wrong with portscanning
> the Internet.

You might want to check with your lawyer on that. If you
_intentionally_ port-scan a computer located in Virginia without the
owner's permission (and do nothing else, just port-scan it) it's a
class 3 misdemeanor under 18.2-152.1, et seq. That's up to a $500 fine
for each computer you scan. By comparison, shoplifting is a class 1
misdemeanor while possession of a schedule V narcotic is another class
3.

A key word here is "intentionally." Poking at it by mistake (e.g. you
thought it was a different computer which you had the authority to
scan) is not a crime. Nor, most likely, is less aggressive behavior
which would not ordinarily be part of gaining unauthorized access,
such as pinging or tracerouting.

Not that I've ever heard of someone being fined but you're definitely
in to "something wrong" territory.

Regards,
Bill Herrin


-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Owner, Dirtside Systems . Web: 

Re: how to deal with port scan and brute force attack from AS 8075 ?

[Bacon Zombie]

They should always just use Shodan.

https://www.shodan.io/explore

On 4 April 2016 at 05:54, Brandon Vincent  wrote:
> On Thu, Mar 31, 2016 at 4:41 AM, DV  wrote:
>> I have noticed this and especially the strange format of the packets with a
>> SYN/ECE/CWR flag combination: http://pastebin.com/jFCDAmdr
>>
>> This may be $whoever trying to establish network performance/congestion via
>> ECN or it could be something else like a fast scan technique or OS
>> fingerprinting
>
> It's OS fingerprinting. Targeted attacks are far more productive. If
> I'm trying to get into an organization, I'd much rather be interested
> in Juniper ScreenOS than someone's personal *nix machine.
>
> Brandon Vincent



-- 


BaconZombie

55:55:44:44:4C:52:4C:52:42:41

LOAD "*",8,1

Re: how to deal with port scan and brute force attack from AS 8075 ?

[Brandon Vincent]

On Thu, Mar 31, 2016 at 4:41 AM, DV  wrote:
> I have noticed this and especially the strange format of the packets with a
> SYN/ECE/CWR flag combination: http://pastebin.com/jFCDAmdr
>
> This may be $whoever trying to establish network performance/congestion via
> ECN or it could be something else like a fast scan technique or OS
> fingerprinting

It's OS fingerprinting. Targeted attacks are far more productive. If
I'm trying to get into an organization, I'd much rather be interested
in Juniper ScreenOS than someone's personal *nix machine.

Brandon Vincent

Re: how to deal with port scan and brute force attack from AS 8075 ?

[cyrus ramirez via NANOG]

You could use Shields Up to view your vulnerabilities... obvious ones, and 
remedy... Cyrus Ramirez

 

On Thursday, March 31, 2016 10:21 AM, "valdis.kletni...@vt.edu" 
 wrote:
 

 On Thu, 31 Mar 2016 10:02:05 +0200, "marcel.duregards--- via NANOG" said:

> We consider port scan and brute force on ssh port as an attack, and even

So explain to me why you don't have ACLs that silently drop inbound SYN
packets on port 22 from outside your allocated address space?  (And if
you can't do it at your border because you sub-allocate address space
to customers, figure out how to use iptables or similar to block it on
the target hosts, or only apply the ACL for your own subnets).

If you have a *legitimate* business case for needing to SSH in from outside,
there are fine products such as OpenVPN (and not-so-fine like the one we
have in production - although it's mostly usable too, and achieves the goal
of presenting you as being inside our corporate address space)

Also, move your SSH service to some port other than 22, and consider
putting 'Password Authentication no/PubKeyAuthentication yes' in your
sshd_config.

I admit never understanding why people run their systems in a low-hanging
fruit configuration, and then are surprised that miscreants go looking for
low hanging fruit.

(For the record, our border routers drop inbound SYN on port 22 on *both*
ipv4 and ipv6 address spaces.  It's amazing how few brute force
attempts we see on our servers... :)

Re: how to deal with port scan and brute force attack from AS 8075 ?

[Davide Davini]

On 31/03/2016 10:02, marcel.duregards--- via NANOG wrote:
> We are facing a lot of port scan and brute force attack on port 22 (but
> not limited to)

Maybe not super useful in your case but talking about SSH the sysadmin
solution would be to disable password login and use just keys.

Also, as someone else said, fail2ban... because it's a lot of fun. :)

Ciao,
Davide

Re: how to deal with port scan and brute force attack from AS 8075 ?

[DV]

I have noticed this and especially the strange format of the packets with a
SYN/ECE/CWR flag combination: http://pastebin.com/jFCDAmdr

This may be $whoever trying to establish network performance/congestion via
ECN or it could be something else like a fast scan technique or OS
fingerprinting


On Thu, Mar 31, 2016 at 5:50 AM, marcel.duregards--- via NANOG <
nanog@nanog.org> wrote:

> I can not blame them to not answer to all of the thousands emails
> destined to their abuse mailbox. And the goal of my email was not to
> call them on public forum, but rather to know how others ops deal with
> it, and also if MS (and competitors) have automatic detection of such
> 'illegal' traffic, and if not why ?
>
>
>
>
>
> On 31.03.2016 10:18, Todd Crane wrote:
> > Oh and,
> >
> > I’m assuming you contacted Microsoft’s abuse? If not, it’s not cool, not
> to mention unprofessional, to publicly call them out on such a public forum
> without giving them an opportunity to correct it first.
> >
> >> On Mar 31, 2016, at 1:15 AM, Todd Crane  wrote:
> >>
> >> Marcel
> >>
> >> Depending on what is on those machines, I would just recommend using
> fail2ban. The default is that if an ip address fails ssh auth 3 times in 5
> minutes, their ip gets blocked via iptables for 5 minutes. This is enough
> to thwart most scripted attacks, especially those from a certain government
> in Asia. This is configurable to various applications, timing schemes, and
> blocking/jailing mechanisms.
> >>
> >> -Todd
> >>> On Mar 31, 2016, at 1:02 AM, marcel.duregards--- via NANOG <
> nanog@nanog.org> wrote:
> >>>
> >>> Dear Nanog'er,
> >>>
> >>> We are facing a lot of port scan and brute force attack on port 22 (but
> >>> not limited to) from Microsoft AS 8075 range toward our own infra, or
> >>> toward our customers.
> >>> We have sent email to ab...@microsoft.com, but no answer.
> >>>
> >>> source ip are:
> >>> NetRange:   40.74.0.0 - 40.125.127.255
> >>> CIDR:   40.74.0.0/15, 40.112.0.0/13, 40.124.0.0/16,
> >>> 40.76.0.0/14, 40.80.0.0/12, 40.125.0.0/17, 40.96.0.0/12, 40.120.0.0/14
> >>> NetName:MSFT
> >>>
> >>>
> >>>
> >>> We consider port scan and brute force on ssh port as an attack, and
> even
> >>> as a pre-DDOS phase (could be use to install botnet, detect unpatched
> >>> host, and so one).
> >>>
> >>> It's one thing to propose services and make money over an infra, it's
> an
> >>> other thing to take care that you clients do not use this infra to make
> >>> illegal stuffs.
> >>>
> >>>
> >>> How do you deal with such massive amount of 'illegal' traffic ?
> >>>
> >>> Thank,
> >>> Best Regards
> >>> Marcel
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> He are some examples (we have more than 3000 such packets per day just
> >>> from them, probably Azure), and source ip is always differents of
> course:
> >>>
> >>>
> >>> Flow Filtering Expression
> >>> src AS 8075 and dst port 22 and packets=1
> >>> Limit Flows
> >>> 4
> >>> Sorting
> >>> By Date
> >>>
>
> >>
> >
>

Re: how to deal with port scan and brute force attack from AS 8075 ?

[alvin nanog]

hi nanog'ers

On 03/31/16 at 10:20am, valdis.kletni...@vt.edu wrote:
> On Thu, 31 Mar 2016 10:02:05 +0200, "marcel.duregards--- via NANOG" said:
> 
> > We consider port scan and brute force on ssh port as an attack, and even
 
...
> (For the record, our border routers drop inbound SYN on port 22 on *both*
> ipv4 and ipv6 address spaces.  It's amazing how few brute force
> attempts we see on our servers... :)

i think the best way, ( imho ) to discourage random incoming ssh connections
or anything else ( tcp-based ) is to run tarpit on ALL tcp based ports ... 
one obviously would allow incoming 25/tcp traffic to mail servers
and incoming 80/tcp to web servers, etc etc, but otherwise, all
other incoming tcp ports gets unconditionally tarpit'd

we used to get hundreds of thousands of garbage tcp connections per 
minute
which basically disappeared after running tarpits as needed

and the attackers ( port scanners ) pay a penalty for sending useless
packets to tarpit'd ports

fail2ban/etc is okay but it's too limited since i want to deny all tcp 
connections
and specifically only allow certain incoming traffic which is trivial to 
implement with iptables + tarpits

/dev/null incoming packets is okay but it still occupied time/space/buffers
in the pipe and the attackers didn't feel any pain for sending the packets

doing ddos mitigation for your own IP# space is fairly easy to create
various policies ... doing the ddos mitigation for your customers down
the line using your routers can be tricky business and very messy if
either the customer nor isp doesn't change something ( aka more $$$ )

magic pixie dust
alvin
DDoS-Mitigator.net

Re: how to deal with port scan and brute force attack from AS 8075 ?

[Valdis . Kletnieks]

On Thu, 31 Mar 2016 10:02:05 +0200, "marcel.duregards--- via NANOG" said:

> We consider port scan and brute force on ssh port as an attack, and even

So explain to me why you don't have ACLs that silently drop inbound SYN
packets on port 22 from outside your allocated address space?  (And if
you can't do it at your border because you sub-allocate address space
to customers, figure out how to use iptables or similar to block it on
the target hosts, or only apply the ACL for your own subnets).

If you have a *legitimate* business case for needing to SSH in from outside,
there are fine products such as OpenVPN (and not-so-fine like the one we
have in production - although it's mostly usable too, and achieves the goal
of presenting you as being inside our corporate address space)

Also, move your SSH service to some port other than 22, and consider
putting 'Password Authentication no/PubKeyAuthentication yes' in your
sshd_config.

I admit never understanding why people run their systems in a low-hanging
fruit configuration, and then are surprised that miscreants go looking for
low hanging fruit.

(For the record, our border routers drop inbound SYN on port 22 on *both*
ipv4 and ipv6 address spaces.  It's amazing how few brute force
attempts we see on our servers... :)


pgp1CF0EBi9VK.pgp
Description: PGP signature

Re: how to deal with port scan and brute force attack from AS 8075 ?

[Joe Klein]

Use IPv6, bind a second address to the device. Enable on a random port, on
this new address. Remove ssh from the other IP address.

Joe Klein
"Inveniam viam aut faciam"

PGP Fingerprint: 295E 2691 F377 C87D 2841 00C1 4174 FEDF 8ECF 0CC8

On Thu, Mar 31, 2016 at 4:06 AM, Robert Kisteleki  wrote:

>
> > How do you deal with such massive amount of 'illegal' traffic ?
>
> Move SSH to a different port. Better yet, use IPv6 only :-)
>
> Robert
>

Re: how to deal with port scan and brute force attack from AS 8075 ?

[marcel.duregards--- via NANOG]

I can not blame them to not answer to all of the thousands emails
destined to their abuse mailbox. And the goal of my email was not to
call them on public forum, but rather to know how others ops deal with
it, and also if MS (and competitors) have automatic detection of such
'illegal' traffic, and if not why ?





On 31.03.2016 10:18, Todd Crane wrote:
> Oh and,
> 
> I’m assuming you contacted Microsoft’s abuse? If not, it’s not cool, not to 
> mention unprofessional, to publicly call them out on such a public forum 
> without giving them an opportunity to correct it first.
> 
>> On Mar 31, 2016, at 1:15 AM, Todd Crane  wrote:
>>
>> Marcel
>>
>> Depending on what is on those machines, I would just recommend using 
>> fail2ban. The default is that if an ip address fails ssh auth 3 times in 5 
>> minutes, their ip gets blocked via iptables for 5 minutes. This is enough to 
>> thwart most scripted attacks, especially those from a certain government in 
>> Asia. This is configurable to various applications, timing schemes, and 
>> blocking/jailing mechanisms.
>>
>> -Todd
>>> On Mar 31, 2016, at 1:02 AM, marcel.duregards--- via NANOG 
>>>  wrote:
>>>
>>> Dear Nanog'er,
>>>
>>> We are facing a lot of port scan and brute force attack on port 22 (but
>>> not limited to) from Microsoft AS 8075 range toward our own infra, or
>>> toward our customers.
>>> We have sent email to ab...@microsoft.com, but no answer.
>>>
>>> source ip are:
>>> NetRange:   40.74.0.0 - 40.125.127.255
>>> CIDR:   40.74.0.0/15, 40.112.0.0/13, 40.124.0.0/16,
>>> 40.76.0.0/14, 40.80.0.0/12, 40.125.0.0/17, 40.96.0.0/12, 40.120.0.0/14
>>> NetName:MSFT
>>>
>>>
>>>
>>> We consider port scan and brute force on ssh port as an attack, and even
>>> as a pre-DDOS phase (could be use to install botnet, detect unpatched
>>> host, and so one).
>>>
>>> It's one thing to propose services and make money over an infra, it's an
>>> other thing to take care that you clients do not use this infra to make
>>> illegal stuffs.
>>>
>>>
>>> How do you deal with such massive amount of 'illegal' traffic ?
>>>
>>> Thank,
>>> Best Regards
>>> Marcel
>>>
>>>
>>>
>>>
>>>
>>> He are some examples (we have more than 3000 such packets per day just
>>> from them, probably Azure), and source ip is always differents of course:
>>>
>>>
>>> Flow Filtering Expression
>>> src AS 8075 and dst port 22 and packets=1
>>> Limit Flows
>>> 4
>>> Sorting
>>> By Date
>>>

>>
> 

Re: how to deal with port scan and brute force attack from AS 8075 ?

[Bacon Zombie]

I would ignore the portscans since there is nothing wrong with portscanning
the Internet.

Install fail2ban {don't forgot to whitelist your management static IPs}.

You may want to increase the default bantime and findtime {how far back to
search logs}.

On 31 Mar 2016 11:06, "Todd Crane"  wrote:

> I must have missed that… my bad.
>
>
> > On Mar 31, 2016, at 2:01 AM, Dan Hollis  wrote:
> >
> > It's right there in his email:
> >
> > "We have sent email to ab...@microsoft.com, but no answer."
> >
> > -Dan
> >
> > On Thu, 31 Mar 2016, Todd Crane wrote:
> >
> >> Oh and,
> >>
> >> I’m assuming you contacted Microsoft’s abuse? If not, it’s not cool,
> not to mention unprofessional, to publicly call them out on such a public
> forum without giving them an opportunity to correct it first.
> >>
> >>> On Mar 31, 2016, at 1:15 AM, Todd Crane  wrote:
> >>>
> >>> Marcel
> >>>
> >>> Depending on what is on those machines, I would just recommend using
> fail2ban. The default is that if an ip address fails ssh auth 3 times in 5
> minutes, their ip gets blocked via iptables for 5 minutes. This is enough
> to thwart most scripted attacks, especially those from a certain government
> in Asia. This is configurable to various applications, timing schemes, and
> blocking/jailing mechanisms.
> >>>
> >>> -Todd
>  On Mar 31, 2016, at 1:02 AM, marcel.duregards--- via NANOG <
> nanog@nanog.org> wrote:
> 
>  Dear Nanog'er,
> 
>  We are facing a lot of port scan and brute force attack on port 22
> (but
>  not limited to) from Microsoft AS 8075 range toward our own infra, or
>  toward our customers.
>  We have sent email to ab...@microsoft.com, but no answer.
> 
>  source ip are:
>  NetRange:   40.74.0.0 - 40.125.127.255
>  CIDR:   40.74.0.0/15, 40.112.0.0/13, 40.124.0.0/16,
>  40.76.0.0/14, 40.80.0.0/12, 40.125.0.0/17, 40.96.0.0/12,
> 40.120.0.0/14
>  NetName:MSFT
> 
> 
> 
>  We consider port scan and brute force on ssh port as an attack, and
> even
>  as a pre-DDOS phase (could be use to install botnet, detect unpatched
>  host, and so one).
> 
>  It's one thing to propose services and make money over an infra, it's
> an
>  other thing to take care that you clients do not use this infra to
> make
>  illegal stuffs.
> 
> 
>  How do you deal with such massive amount of 'illegal' traffic ?
> 
>  Thank,
>  Best Regards
>  Marcel
> 
> 
> 
> 
> 
>  He are some examples (we have more than 3000 such packets per day just
>  from them, probably Azure), and source ip is always differents of
> course:
> 
> 
>  Flow Filtering Expression
>  src AS 8075 and dst port 22 and packets=1
>  Limit Flows
>  4
>  Sorting
>  By Date
> 
>  Date_first_seen  Duration Proto _IP_Addr:Port
>  Dst_IP_Addr:Port   Flags Packets
>  2016-02-29 14:55:20.108 0.000 6104.45.210.69:1160  ->
>  x.x.231:22..  1
>  2016-02-29 14:55:20.611 0.000 6104.45.210.69:1161  ->
>  x.x.231:22..  1
>  2016-02-29 14:56:41.004 0.000 6 40.76.55.204:1090  ->
>  x.x..14:22..  1
>  2016-02-29 14:56:41.324 0.000 6 40.76.55.204:1091  ->
>  x.x..14:22..  1
>  2016-02-29 15:00:05.670 0.000 6 40.76.55.204:1088  ->
>  x.x.125:22..  1
>  2016-02-29 15:00:06.003 0.000 6 40.76.55.204:1089  ->
>  x.x.125:22..  1
>  2016-02-29 15:01:17.358 0.000 6  40.76.70.58:1168  ->
>  x.x..80:22..  1
>  2016-02-29 15:01:17.676 0.000 6  40.76.70.58:1169  ->
>  x.x..80:22..  1
>  2016-02-29 15:02:42.637 0.000 6 40.76.55.204:1176  ->
>  x.x.193:22..  1
>  2016-02-29 15:02:42.878 0.000 6 40.76.55.204:1177  ->
>  x.x.193:22..  1
>  2016-02-29 15:02:48.067 0.000 6104.45.210.69:1160  ->
>  x.x.173:22..  1
>  2016-02-29 15:02:48.394 0.000 6104.45.210.69:1161  ->
>  x.x.173:22..  1
>  2016-02-29 15:03:18.854 0.000 640.121.53.153:1041  ->
>  x.x..88:22..  1
>  2016-02-29 15:03:19.172 0.000 640.121.53.153:1042  ->
>  x.x..88:22..  1
>  2016-02-29 15:06:36.248 0.000 6 40.76.55.204:1056  ->
>  x.x..45:22..  1
>  2016-02-29 15:07:31.882 0.000 6  40.76.80.17:44895 ->
>  x.x..75:22..  1
>  2016-02-29 15:07:32.245 0.000 6  40.76.80.17:44896 ->
>  x.x..75:22..  1
>  2016-02-29 15:09:08.433 0.000 6  40.76.70.58:1168  ->
>  x.x..31:22..  1
>  2016-02-29 15:09:08.744 0.000 6  40.76.70.58:1169  ->
>  x.x..31:22..  1
> 

Re: how to deal with port scan and brute force attack from AS 8075 ?

[Todd Crane]

I must have missed that… my bad.


> On Mar 31, 2016, at 2:01 AM, Dan Hollis  wrote:
> 
> It's right there in his email:
> 
> "We have sent email to ab...@microsoft.com, but no answer."
> 
> -Dan
> 
> On Thu, 31 Mar 2016, Todd Crane wrote:
> 
>> Oh and,
>> 
>> I’m assuming you contacted Microsoft’s abuse? If not, it’s not cool, not to 
>> mention unprofessional, to publicly call them out on such a public forum 
>> without giving them an opportunity to correct it first.
>> 
>>> On Mar 31, 2016, at 1:15 AM, Todd Crane  wrote:
>>> 
>>> Marcel
>>> 
>>> Depending on what is on those machines, I would just recommend using 
>>> fail2ban. The default is that if an ip address fails ssh auth 3 times in 5 
>>> minutes, their ip gets blocked via iptables for 5 minutes. This is enough 
>>> to thwart most scripted attacks, especially those from a certain government 
>>> in Asia. This is configurable to various applications, timing schemes, and 
>>> blocking/jailing mechanisms.
>>> 
>>> -Todd
 On Mar 31, 2016, at 1:02 AM, marcel.duregards--- via NANOG 
  wrote:
 
 Dear Nanog'er,
 
 We are facing a lot of port scan and brute force attack on port 22 (but
 not limited to) from Microsoft AS 8075 range toward our own infra, or
 toward our customers.
 We have sent email to ab...@microsoft.com, but no answer.
 
 source ip are:
 NetRange:   40.74.0.0 - 40.125.127.255
 CIDR:   40.74.0.0/15, 40.112.0.0/13, 40.124.0.0/16,
 40.76.0.0/14, 40.80.0.0/12, 40.125.0.0/17, 40.96.0.0/12, 40.120.0.0/14
 NetName:MSFT
 
 
 
 We consider port scan and brute force on ssh port as an attack, and even
 as a pre-DDOS phase (could be use to install botnet, detect unpatched
 host, and so one).
 
 It's one thing to propose services and make money over an infra, it's an
 other thing to take care that you clients do not use this infra to make
 illegal stuffs.
 
 
 How do you deal with such massive amount of 'illegal' traffic ?
 
 Thank,
 Best Regards
 Marcel
 
 
 
 
 
 He are some examples (we have more than 3000 such packets per day just
 from them, probably Azure), and source ip is always differents of course:
 
 
 Flow Filtering Expression
 src AS 8075 and dst port 22 and packets=1
 Limit Flows
 4
 Sorting
 By Date
 
 Date_first_seen  Duration Proto _IP_Addr:Port
 Dst_IP_Addr:Port   Flags Packets
 2016-02-29 14:55:20.108 0.000 6104.45.210.69:1160  ->
 x.x.231:22..  1
 2016-02-29 14:55:20.611 0.000 6104.45.210.69:1161  ->
 x.x.231:22..  1
 2016-02-29 14:56:41.004 0.000 6 40.76.55.204:1090  ->
 x.x..14:22..  1
 2016-02-29 14:56:41.324 0.000 6 40.76.55.204:1091  ->
 x.x..14:22..  1
 2016-02-29 15:00:05.670 0.000 6 40.76.55.204:1088  ->
 x.x.125:22..  1
 2016-02-29 15:00:06.003 0.000 6 40.76.55.204:1089  ->
 x.x.125:22..  1
 2016-02-29 15:01:17.358 0.000 6  40.76.70.58:1168  ->
 x.x..80:22..  1
 2016-02-29 15:01:17.676 0.000 6  40.76.70.58:1169  ->
 x.x..80:22..  1
 2016-02-29 15:02:42.637 0.000 6 40.76.55.204:1176  ->
 x.x.193:22..  1
 2016-02-29 15:02:42.878 0.000 6 40.76.55.204:1177  ->
 x.x.193:22..  1
 2016-02-29 15:02:48.067 0.000 6104.45.210.69:1160  ->
 x.x.173:22..  1
 2016-02-29 15:02:48.394 0.000 6104.45.210.69:1161  ->
 x.x.173:22..  1
 2016-02-29 15:03:18.854 0.000 640.121.53.153:1041  ->
 x.x..88:22..  1
 2016-02-29 15:03:19.172 0.000 640.121.53.153:1042  ->
 x.x..88:22..  1
 2016-02-29 15:06:36.248 0.000 6 40.76.55.204:1056  ->
 x.x..45:22..  1
 2016-02-29 15:07:31.882 0.000 6  40.76.80.17:44895 ->
 x.x..75:22..  1
 2016-02-29 15:07:32.245 0.000 6  40.76.80.17:44896 ->
 x.x..75:22..  1
 2016-02-29 15:09:08.433 0.000 6  40.76.70.58:1168  ->
 x.x..31:22..  1
 2016-02-29 15:09:08.744 0.000 6  40.76.70.58:1169  ->
 x.x..31:22..  1
 2016-02-29 15:11:45.668 0.000 6  40.76.80.17:47993 ->
 x.x.157:22..  1
 2016-02-29 15:11:45.987 0.000 6  40.76.80.17:47994 ->
 x.x.157:22..  1
 2016-02-29 15:12:09.543 0.000 6  40.76.70.58:1168  ->
 x.x..24:22..  1
 2016-02-29 15:12:09.925 0.000 6  40.76.70.58:1169  ->
 x.x..24:22..  1
 2016-02-29 15:17:05.920 0.000 6  40.76.70.58:1168  ->
 x.x.243:22..  1
 

Re: how to deal with port scan and brute force attack from AS 8075 ?

[Todd Crane]

Oh and,

I’m assuming you contacted Microsoft’s abuse? If not, it’s not cool, not to 
mention unprofessional, to publicly call them out on such a public forum 
without giving them an opportunity to correct it first.

> On Mar 31, 2016, at 1:15 AM, Todd Crane  wrote:
> 
> Marcel
> 
> Depending on what is on those machines, I would just recommend using 
> fail2ban. The default is that if an ip address fails ssh auth 3 times in 5 
> minutes, their ip gets blocked via iptables for 5 minutes. This is enough to 
> thwart most scripted attacks, especially those from a certain government in 
> Asia. This is configurable to various applications, timing schemes, and 
> blocking/jailing mechanisms.
> 
> -Todd
>> On Mar 31, 2016, at 1:02 AM, marcel.duregards--- via NANOG  
>> wrote:
>> 
>> Dear Nanog'er,
>> 
>> We are facing a lot of port scan and brute force attack on port 22 (but
>> not limited to) from Microsoft AS 8075 range toward our own infra, or
>> toward our customers.
>> We have sent email to ab...@microsoft.com, but no answer.
>> 
>> source ip are:
>> NetRange:   40.74.0.0 - 40.125.127.255
>> CIDR:   40.74.0.0/15, 40.112.0.0/13, 40.124.0.0/16,
>> 40.76.0.0/14, 40.80.0.0/12, 40.125.0.0/17, 40.96.0.0/12, 40.120.0.0/14
>> NetName:MSFT
>> 
>> 
>> 
>> We consider port scan and brute force on ssh port as an attack, and even
>> as a pre-DDOS phase (could be use to install botnet, detect unpatched
>> host, and so one).
>> 
>> It's one thing to propose services and make money over an infra, it's an
>> other thing to take care that you clients do not use this infra to make
>> illegal stuffs.
>> 
>> 
>> How do you deal with such massive amount of 'illegal' traffic ?
>> 
>> Thank,
>> Best Regards
>> Marcel
>> 
>> 
>> 
>> 
>> 
>> He are some examples (we have more than 3000 such packets per day just
>> from them, probably Azure), and source ip is always differents of course:
>> 
>> 
>> Flow Filtering Expression
>> src AS 8075 and dst port 22 and packets=1
>> Limit Flows
>> 4
>> Sorting
>> By Date
>> 
>> Date_first_seen  Duration Proto _IP_Addr:Port
>> Dst_IP_Addr:Port   Flags Packets
>> 2016-02-29 14:55:20.108 0.000 6104.45.210.69:1160  ->
>> x.x.231:22..  1
>> 2016-02-29 14:55:20.611 0.000 6104.45.210.69:1161  ->
>> x.x.231:22..  1
>> 2016-02-29 14:56:41.004 0.000 6 40.76.55.204:1090  ->
>> x.x..14:22..  1
>> 2016-02-29 14:56:41.324 0.000 6 40.76.55.204:1091  ->
>> x.x..14:22..  1
>> 2016-02-29 15:00:05.670 0.000 6 40.76.55.204:1088  ->
>> x.x.125:22..  1
>> 2016-02-29 15:00:06.003 0.000 6 40.76.55.204:1089  ->
>> x.x.125:22..  1
>> 2016-02-29 15:01:17.358 0.000 6  40.76.70.58:1168  ->
>> x.x..80:22..  1
>> 2016-02-29 15:01:17.676 0.000 6  40.76.70.58:1169  ->
>> x.x..80:22..  1
>> 2016-02-29 15:02:42.637 0.000 6 40.76.55.204:1176  ->
>> x.x.193:22..  1
>> 2016-02-29 15:02:42.878 0.000 6 40.76.55.204:1177  ->
>> x.x.193:22..  1
>> 2016-02-29 15:02:48.067 0.000 6104.45.210.69:1160  ->
>> x.x.173:22..  1
>> 2016-02-29 15:02:48.394 0.000 6104.45.210.69:1161  ->
>> x.x.173:22..  1
>> 2016-02-29 15:03:18.854 0.000 640.121.53.153:1041  ->
>> x.x..88:22..  1
>> 2016-02-29 15:03:19.172 0.000 640.121.53.153:1042  ->
>> x.x..88:22..  1
>> 2016-02-29 15:06:36.248 0.000 6 40.76.55.204:1056  ->
>> x.x..45:22..  1
>> 2016-02-29 15:07:31.882 0.000 6  40.76.80.17:44895 ->
>> x.x..75:22..  1
>> 2016-02-29 15:07:32.245 0.000 6  40.76.80.17:44896 ->
>> x.x..75:22..  1
>> 2016-02-29 15:09:08.433 0.000 6  40.76.70.58:1168  ->
>> x.x..31:22..  1
>> 2016-02-29 15:09:08.744 0.000 6  40.76.70.58:1169  ->
>> x.x..31:22..  1
>> 2016-02-29 15:11:45.668 0.000 6  40.76.80.17:47993 ->
>> x.x.157:22..  1
>> 2016-02-29 15:11:45.987 0.000 6  40.76.80.17:47994 ->
>> x.x.157:22..  1
>> 2016-02-29 15:12:09.543 0.000 6  40.76.70.58:1168  ->
>> x.x..24:22..  1
>> 2016-02-29 15:12:09.925 0.000 6  40.76.70.58:1169  ->
>> x.x..24:22..  1
>> 2016-02-29 15:17:05.920 0.000 6  40.76.70.58:1168  ->
>> x.x.243:22..  1
>> 2016-02-29 15:17:06.241 0.000 6  40.76.70.58:1169  ->
>> x.x.243:22..  1
>> 2016-02-29 15:19:21.364 0.000 640.83.121.211:62936 ->
>> x.x..81:22..  1
>> 2016-02-29 15:19:21.704 0.000 640.83.121.211:62937 ->
>> x.x..81:22..  1
>> 2016-02-29 15:19:45.891 0.000 6  40.76.70.58:1168  ->
>> x.x..39:22..  1
>> 2016-02-29 15:19:46.273 0.000 6  40.76.70.58:1169  ->
>> x.x..39:22..  1
>> 2016-02-29 15:21:52.030 

Re: how to deal with port scan and brute force attack from AS 8075 ?

[Todd Crane]

Marcel

Depending on what is on those machines, I would just recommend using fail2ban. 
The default is that if an ip address fails ssh auth 3 times in 5 minutes, their 
ip gets blocked via iptables for 5 minutes. This is enough to thwart most 
scripted attacks, especially those from a certain government in Asia. This is 
configurable to various applications, timing schemes, and blocking/jailing 
mechanisms.

-Todd
> On Mar 31, 2016, at 1:02 AM, marcel.duregards--- via NANOG  
> wrote:
> 
> Dear Nanog'er,
> 
> We are facing a lot of port scan and brute force attack on port 22 (but
> not limited to) from Microsoft AS 8075 range toward our own infra, or
> toward our customers.
> We have sent email to ab...@microsoft.com, but no answer.
> 
> source ip are:
> NetRange:   40.74.0.0 - 40.125.127.255
> CIDR:   40.74.0.0/15, 40.112.0.0/13, 40.124.0.0/16,
> 40.76.0.0/14, 40.80.0.0/12, 40.125.0.0/17, 40.96.0.0/12, 40.120.0.0/14
> NetName:MSFT
> 
> 
> 
> We consider port scan and brute force on ssh port as an attack, and even
> as a pre-DDOS phase (could be use to install botnet, detect unpatched
> host, and so one).
> 
> It's one thing to propose services and make money over an infra, it's an
> other thing to take care that you clients do not use this infra to make
> illegal stuffs.
> 
> 
> How do you deal with such massive amount of 'illegal' traffic ?
> 
> Thank,
> Best Regards
> Marcel
> 
> 
> 
> 
> 
> He are some examples (we have more than 3000 such packets per day just
> from them, probably Azure), and source ip is always differents of course:
> 
> 
> Flow Filtering Expression
>  src AS 8075 and dst port 22 and packets=1
> Limit Flows
>  4
> Sorting
>  By Date
> 
> Date_first_seen  Duration Proto _IP_Addr:Port
> Dst_IP_Addr:Port   Flags Packets
> 2016-02-29 14:55:20.108 0.000 6104.45.210.69:1160  ->
> x.x.231:22..  1
> 2016-02-29 14:55:20.611 0.000 6104.45.210.69:1161  ->
> x.x.231:22..  1
> 2016-02-29 14:56:41.004 0.000 6 40.76.55.204:1090  ->
> x.x..14:22..  1
> 2016-02-29 14:56:41.324 0.000 6 40.76.55.204:1091  ->
> x.x..14:22..  1
> 2016-02-29 15:00:05.670 0.000 6 40.76.55.204:1088  ->
> x.x.125:22..  1
> 2016-02-29 15:00:06.003 0.000 6 40.76.55.204:1089  ->
> x.x.125:22..  1
> 2016-02-29 15:01:17.358 0.000 6  40.76.70.58:1168  ->
> x.x..80:22..  1
> 2016-02-29 15:01:17.676 0.000 6  40.76.70.58:1169  ->
> x.x..80:22..  1
> 2016-02-29 15:02:42.637 0.000 6 40.76.55.204:1176  ->
> x.x.193:22..  1
> 2016-02-29 15:02:42.878 0.000 6 40.76.55.204:1177  ->
> x.x.193:22..  1
> 2016-02-29 15:02:48.067 0.000 6104.45.210.69:1160  ->
> x.x.173:22..  1
> 2016-02-29 15:02:48.394 0.000 6104.45.210.69:1161  ->
> x.x.173:22..  1
> 2016-02-29 15:03:18.854 0.000 640.121.53.153:1041  ->
> x.x..88:22..  1
> 2016-02-29 15:03:19.172 0.000 640.121.53.153:1042  ->
> x.x..88:22..  1
> 2016-02-29 15:06:36.248 0.000 6 40.76.55.204:1056  ->
> x.x..45:22..  1
> 2016-02-29 15:07:31.882 0.000 6  40.76.80.17:44895 ->
> x.x..75:22..  1
> 2016-02-29 15:07:32.245 0.000 6  40.76.80.17:44896 ->
> x.x..75:22..  1
> 2016-02-29 15:09:08.433 0.000 6  40.76.70.58:1168  ->
> x.x..31:22..  1
> 2016-02-29 15:09:08.744 0.000 6  40.76.70.58:1169  ->
> x.x..31:22..  1
> 2016-02-29 15:11:45.668 0.000 6  40.76.80.17:47993 ->
> x.x.157:22..  1
> 2016-02-29 15:11:45.987 0.000 6  40.76.80.17:47994 ->
> x.x.157:22..  1
> 2016-02-29 15:12:09.543 0.000 6  40.76.70.58:1168  ->
> x.x..24:22..  1
> 2016-02-29 15:12:09.925 0.000 6  40.76.70.58:1169  ->
> x.x..24:22..  1
> 2016-02-29 15:17:05.920 0.000 6  40.76.70.58:1168  ->
> x.x.243:22..  1
> 2016-02-29 15:17:06.241 0.000 6  40.76.70.58:1169  ->
> x.x.243:22..  1
> 2016-02-29 15:19:21.364 0.000 640.83.121.211:62936 ->
> x.x..81:22..  1
> 2016-02-29 15:19:21.704 0.000 640.83.121.211:62937 ->
> x.x..81:22..  1
> 2016-02-29 15:19:45.891 0.000 6  40.76.70.58:1168  ->
> x.x..39:22..  1
> 2016-02-29 15:19:46.273 0.000 6  40.76.70.58:1169  ->
> x.x..39:22..  1
> 2016-02-29 15:21:52.030 0.000 6  40.76.70.58:1168  ->
> x.x.120:22..  1
> 2016-02-29 15:21:52.349 0.000 6  40.76.70.58:1169  ->
> x.x.120:22..  1
> 2016-02-29 15:24:07.614 0.000 6 40.76.55.204:1048  ->
> x.x.237:22..  1
> 2016-02-29 15:24:07.933 0.000 6 40.76.55.204:1128  ->
> x.x.237:22..  1
> 2016-02-29 15:27:31.289 0.000 640.121.53.153:1041  ->
> 

Re: how to deal with port scan and brute force attack from AS 8075 ?

[Robert Kisteleki]

> How do you deal with such massive amount of 'illegal' traffic ?

Move SSH to a different port. Better yet, use IPv6 only :-)

Robert