Re: how to deal with port scan and brute force attack from AS 8075 ?

[DV <iamzam () gmail com>]

I have noticed this and especially the strange format of the packets with a
SYN/ECE/CWR flag combination: http://pastebin.com/jFCDAmdr

This may be $whoever trying to establish network performance/congestion via
ECN or it could be something else like a fast scan technique or OS
fingerprinting


On Thu, Mar 31, 2016 at 5:50 AM, marcel.duregards--- via NANOG <
nanog () nanog org> wrote:

> I can not blame them to not answer to all of the thousands emails
> destined to their abuse mailbox. And the goal of my email was not to
> call them on public forum, but rather to know how others ops deal with
> it, and also if MS (and competitors) have automatic detection of such
> 'illegal' traffic, and if not why ?....
>
>
>
>
>
> On 31.03.2016 10:18, Todd Crane wrote:
> > Oh and,
> >
> > I’m assuming you contacted Microsoft’s abuse? If not, it’s not cool, not
> to mention unprofessional, to publicly call them out on such a public forum
> without giving them an opportunity to correct it first.
> > > On Mar 31, 2016, at 1:15 AM, Todd Crane <todd.crane () n5tech com> wrote:
> > >
> > > Marcel
> > >
> > > Depending on what is on those machines, I would just recommend using
> fail2ban. The default is that if an ip address fails ssh auth 3 times in 5
> minutes, their ip gets blocked via iptables for 5 minutes. This is enough
> to thwart most scripted attacks, especially those from a certain government
> in Asia. This is configurable to various applications, timing schemes, and
> blocking/jailing mechanisms.
> > > -Todd
> > > > On Mar 31, 2016, at 1:02 AM, marcel.duregards--- via NANOG <
> nanog () nanog org> wrote:
> > > > Dear Nanog'er,
> > > >
> > > > We are facing a lot of port scan and brute force attack on port 22 (but
> > > > not limited to) from Microsoft AS 8075 range toward our own infra, or
> > > > toward our customers.
> > > > We have sent email to abuse () microsoft com, but no answer.
> > > >
> > > > source ip are:
> > > > NetRange:       40.74.0.0 - 40.125.127.255
> > > > CIDR:           40.74.0.0/15, 40.112.0.0/13, 40.124.0.0/16,
> > > > 40.76.0.0/14, 40.80.0.0/12, 40.125.0.0/17, 40.96.0.0/12, 40.120.0.0/14
> > > > NetName:        MSFT
> > > >
> > > >
> > > >
> > > > We consider port scan and brute force on ssh port as an attack, and
> even
> > > > as a pre-DDOS phase (could be use to install botnet, detect unpatched
> > > > host, and so one).
> > > >
> > > > It's one thing to propose services and make money over an infra, it's
> an
> > > > other thing to take care that you clients do not use this infra to make
> > > > illegal stuffs.
> > > >
> > > >
> > > > How do you deal with such massive amount of 'illegal' traffic ?
> > > >
> > > > Thank,
> > > > Best Regards
> > > > Marcel
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > He are some examples (we have more than 3000 such packets per day just
> > > > from them, probably Azure), and source ip is always differents of
> course:
> > > > Flow Filtering Expression
> > > > src AS 8075 and dst port 22 and packets=1
> > > > Limit Flows
> > > > 40000
> > > > Sorting
> > > > By Date
>
> > >