Pesky flys buzzing around your head..


  • LAYER 8 Global Moderator

    When you have those nats just buzzing around your head bugging you...

    buggers.jpg

    Your blocked dipshits.. Stop banging your head against the freaking wall ;) Every few seconds.. Random port scans ok, but these idiots just keep banging away.. About ready to just stop logging them - but curious how long they go at it.. They keep hitting port 443.. Not even probing - just 443 every few seconds.



  • Ive got both those addresses in the 185.89.239.x range blocked on my WAN rules for about a week now..


  • LAYER 8 Global Moderator

    They hitting you as well? How often?

    Wow lots of reports
    https://www.dshield.org/ipinfo.html?ip=185.89.239.149

    like 2.5 million just from that 1.



  • I had a UPS failure yesterday so the logged events are about 22 hours old right now. But you can see they have tried to hit even after being blocked since last week. If I catch someone doing this type of crap I generally throw a rule up real quick. Some do eventually go silent and Ill remove them down the road.

    Nats.jpg



  • Generally if we see someone like mr 13.35.180.79 or 52.128.227.x doing this for to long they get added. Just a hit every few minutes would not get our attention.

    nats2.jpg

    I can look at the server logs to see what they are up to.


  • LAYER 8

    Immagine.jpg

    i have that 185.137 and that chinese 240e:f7 hitting me for months


  • LAYER 8 Moderator

    Funny, we are being hit by an italian IP block 185.90.116.0/22 (random addresses from .116, .117 and .118 subnets) going wild on all our external IPs only really trying 80/443/22. For days that goes on and on...



  • Im getting a bunch from them as well even though they are now blocked. Compared my 1 day to my 4 day WAN rules.. I added your /22 block moments after my first post here a few days ago and they are still trying.

    nats6.jpg

    nats4.jpg

    The 185.89.239.x addresses seem to have backed off me.


  • LAYER 8

    it seems that @JeGr send that trouble to me
    I returned home and found that i had my state table completely full because of 185.90.116.0 and 117


  • LAYER 8 Global Moderator

    Yeah I got almost 100K hits yesterday between 443 and 8080.. 443 is what I had open so that could of put a hurt on my states... But 8080 has always just been dropped..

    The only good thing come from this is it had my fire up syslog again for my firewall logs ;) So I could get some easy to access history..

    Just honestly like to know what the hell they think they are doing.. Its got to be some serious amount of traffic they are pushing..


  • Netgate Administrator

    Probably pushing it from some compromised devices they aren't paying bandwidth for.


  • LAYER 8 Global Moderator

    But what is the end game in such traffic? Clearly its not any sort of ddos - it pretty freaking lame for that.. What is the point of just banging your head.. At best its some sort of low level state exhaustion attempt..

    What it amounts to is log spam..



  • The only time I start getting hit that hard is when I have server ports open.. Are you saying you do not?

    I go over to my server logs and see all kinds of different styles of attacks happening.

    Email log in attempts are a favorite by these guys... 5 a second for days on end sometimes.


  • LAYER 8

    anyway they are aware ...
    you can try to use google translate on this
    https://www.italiasera.it/eurobet-it-inaccessibile-i-nostri-sistemi-non-sono-al-momento-disponibili-si-teme-attacco-hacker/
    hacker are asking for 80.000 $ of bitcoin


  • LAYER 8 Global Moderator

    Well so far today the flys are gone - and it back to more normal noise level

    flysgone.jpg

    Yesterday was just banging head against 53.. atleast the 443 had stopped

    53tcp.jpg

    40k - and that wasn't even all day, syslog was off for a couple of hours.. And doesn't count the UDP noise (which I don't log - I might start logging common udp ports like 53, etc.) - I checked there was lots of udp hits to 53 as well.. All asking for roots. So prob atleast double that 40k number. Most of the time the udp was just all over the board and only few.. It was just cluttering up interesting info..

    The only good thing from this - triggered my interest in running a syslog to keep track of hits over time.. Should prob fire up an elkstack again.. But running that on VMs is difficult currently since takes a bit of horse power.. And don't really have any hardware that can support currently without putting real hit on everything else the box is doing..

    What would be slick, is something low requirement enough to just run on a pi.. And provide the eye candy dashboards you can get with elkstack (kibana).. Might have to look to see what kind of dashboard can setup for firewall hits, dest ports and such with Grafana setup.. Most of seen of those setups is more geared towards cpu, memory, io stats via graphs over time.. Vs details of the firewall hits by source IP, dest port, passed allowed, etc.


  • LAYER 8

    if you come up with something pls share as i have a spare pi myself, it would be a nice addon


  • LAYER 8 Global Moderator

    Yeah for sure... You be up for a low requirement vm as well? What would be extra slick is a just a vm image anyone could just fire up and make very min changes to and be up and running.



  • 52.192.154.0/24 multiple addresses from this range hitting my email server after hours tonight. Every port we have open.

    Time for the fly swatter.



  • In the last 24 hours I've seen that whole subnet plus every single IP in:
    52.192.157.0/24
    112.175.120.0/24
    112.175.124.0/24

    I'm only seeing these on port 25, as that's all that's open. Found a way to identify the packets, though. They now fall into a fail2ban trap and are blocked at pfSense.

    EDIT: And last week it was the whole of 185.40.12.0/24, 185.40.13.0/24, 185.40.14.0/24 and 185.40.15.0/24.

    185.40.12.0/22?


Log in to reply