Groups | Search | Server Info | Login | Register

Groups > comp.os.linux.security > #704

Re: yet another IP blocklist (mine!)

From Supratim Sanyal <supratim@riseup.invalid>
Newsgroups comp.os.linux.security
Subject Re: yet another IP blocklist (mine!)
Date 2016-10-28 18:02 -0400
Organization A noiseless patient Spider
Message-ID <MPG.327d9502ab733f6f989682@reader80.eternal-september.org> (permalink)
References <MPG.325c46579c9d147e989681@reader80.eternal-september.org> <slrnnv84fd.9g.ibuprofin@planck.phx.az.us> <MPG.327c65692bdf48dc989683@news.eternal-september.org> <slrno17fn7.raa.ibuprofin@planck.phx.az.us>

Show all headers | View raw

In article <slrno17fn7.raa.ibuprofin@planck.phx.az.us>, 
ibuprofin@painkiller.example.tld.invalid says...
> 
> On Thu, 27 Oct 2016, in the Usenet newsgroup comp.os.linux.security, in article
> <MPG.327c65692bdf48dc989683@news.eternal-september.org>, Supratim Sanyal wrote:
> 
> >ibuprofin@painkiller.example.tld.invalid says...
> 
> >> Supratim Sanyal wrote:
> 
> >>> Hi - I am maintaining a brute-force attack source IP blocklist
> 
> >> Idle curiosity -  Why?
> 
> >Ummm - got myself a cheapo VPS, have to use it for something
> 
> Officially retired earlier this year, but I've been in the business
> since the 1980s.  While I'm still doing a bit of part-time consulting,
> networking is of less interest now.  I haven't had a publicly visible
> service since about 1997 (website on an home ISDN connection).
> 
> >and revived a fortune-cowsay daemon I wrote in school ... put it on
> >the telnet port - doubles as a honey pot for telnet spam ... no good
> >reason really ... :)
> 
> Mentioned, I don't even bother to log connection attempts, much less
> respond to them.  (My upstream doesn't seem to respond with ICMP type
> 3 code 1 if the customer's modem/router is turned off, so there is no
> difference between that and a customer's firewall with a DROP rule.)
> Occasionally, I may turn on logging for a day, just to get a feel for
> what's happening, but nothing really scientific.  I have seen a
> substantial increase (10:1) in attempts to connect to 23/tcp since
> about mid-May, but they act more like 'bots (single SYN packet, rather
> than up to 3 from a conventional network stack if there was no
> response to the first).  Last weekend, I saw a flurry of hits (Hmmm...
> why is the network activity light blinking so much on the WAN side?
> Lessee, "/usr/sbin/tcpdump -ni eth1 -s 512 -w /tmp/dump") on 23/tcp,
> but they looked more like a DDOS attack (up to 6 hits per minute with
> obviously faked source IPs) than an actual connection attempt.  That
> went on for several hours Saturday and Sunday during the day before
> dropping back to the (current) normal of about 1 per minute.  For
> every ten hits on 23/tcp, there is also one to 2323/tcp, usually from
> one of the same sources with an otherwise identical TCP header.  In
> July and August, I was also seeing frequent hits (about 1 per minute)
> to 53413/udp (attempt to exploit a Chinese chip-set in a home router),
> but that seems to have died down lately.  Hits on 22/tcp have been
> relatively low for over a year (average about 1.5 attempts per hour).
> 
>         Old guy

iptables + ipset with public blocklists has kept port 22 spam in control 
for my internet-facing servers for over a decade now (your experience is 
far longer than mine)- but these blocklists are missing a vast number of 
port 23 bots. I think my list is the only one which documents port 23 
spam - I have done numerous spot checks and find IPs in my list are 
unique. Yes of course I send them on to blocklist.de too. thanks for 
pinging my host and discovering the unusual ICMP response.

It is interesting my fortune/cowsay daemon spits out a quote as soon as 
someone connects and enters anything, including just enter; but I see 
actual humans trying "test test" maybe once a month. as you said, I also 
see a pure DOS attempt maybe twice a day from numerous IPs in the same 
subnet (usually 20x.x.x.x/16), with idiotic password-guessing bots going 
in circles - about three to five of them - all the time.

Whatever little contribution it may be, I am hoping folks who use the 
blocklist.de list for perimeter defense may see a wee bit of benefit.

Other ideas on interesting uses for VPSs welcome. I am working on 
putting on a 2nd SIMH VAX online running OpenVMS 7.3.

Back to comp.os.linux.security | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseup.invalid> - 2016-10-03 11:42 -0400
  Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-10-04 20:32 +0000
    Re: yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseup.invalid> - 2016-10-27 20:27 -0400
      Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-10-28 21:10 +0000
        Re: yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseup.invalid> - 2016-10-28 18:02 -0400
          Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-10-29 22:24 +0000
            Re: yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseupnet.invalid.com> - 2016-11-22 18:49 -0500
              Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-11-24 01:13 +0000
                Re: yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseupnet.invalid.com> - 2016-11-26 17:59 -0500
                Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-11-28 02:10 +0000

csiph-web