Groups | Search | Server Info | Login | Register

Groups > comp.os.linux.security > #703

Re: yet another IP blocklist (mine!)

Show all headers | View raw

On Thu, 27 Oct 2016, in the Usenet newsgroup comp.os.linux.security, in article
<MPG.327c65692bdf48dc989683@news.eternal-september.org>, Supratim Sanyal wrote:

>ibuprofin@painkiller.example.tld.invalid says...

>> Supratim Sanyal wrote:

>>> Hi - I am maintaining a brute-force attack source IP blocklist

>> Idle curiosity -  Why?

>Ummm - got myself a cheapo VPS, have to use it for something

Officially retired earlier this year, but I've been in the business
since the 1980s.  While I'm still doing a bit of part-time consulting,
networking is of less interest now.  I haven't had a publicly visible
service since about 1997 (website on an home ISDN connection).

>and revived a fortune-cowsay daemon I wrote in school ... put it on
>the telnet port - doubles as a honey pot for telnet spam ... no good
>reason really ... :)

Mentioned, I don't even bother to log connection attempts, much less
respond to them.  (My upstream doesn't seem to respond with ICMP type
3 code 1 if the customer's modem/router is turned off, so there is no
difference between that and a customer's firewall with a DROP rule.)
Occasionally, I may turn on logging for a day, just to get a feel for
what's happening, but nothing really scientific.  I have seen a
substantial increase (10:1) in attempts to connect to 23/tcp since
about mid-May, but they act more like 'bots (single SYN packet, rather
than up to 3 from a conventional network stack if there was no
response to the first).  Last weekend, I saw a flurry of hits (Hmmm...
why is the network activity light blinking so much on the WAN side?
Lessee, "/usr/sbin/tcpdump -ni eth1 -s 512 -w /tmp/dump") on 23/tcp,
but they looked more like a DDOS attack (up to 6 hits per minute with
obviously faked source IPs) than an actual connection attempt.  That
went on for several hours Saturday and Sunday during the day before
dropping back to the (current) normal of about 1 per minute.  For
every ten hits on 23/tcp, there is also one to 2323/tcp, usually from
one of the same sources with an otherwise identical TCP header.  In
July and August, I was also seeing frequent hits (about 1 per minute)
to 53413/udp (attempt to exploit a Chinese chip-set in a home router),
but that seems to have died down lately.  Hits on 22/tcp have been
relatively low for over a year (average about 1.5 attempts per hour).

        Old guy

Back to comp.os.linux.security | Previous | Next — Previous in thread | Next in thread | Find similar

Thread

yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseup.invalid> - 2016-10-03 11:42 -0400
  Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-10-04 20:32 +0000
    Re: yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseup.invalid> - 2016-10-27 20:27 -0400
      Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-10-28 21:10 +0000
        Re: yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseup.invalid> - 2016-10-28 18:02 -0400
          Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-10-29 22:24 +0000
            Re: yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseupnet.invalid.com> - 2016-11-22 18:49 -0500
              Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-11-24 01:13 +0000
                Re: yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseupnet.invalid.com> - 2016-11-26 17:59 -0500
                Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-11-28 02:10 +0000

csiph-web