30 Mar
2020
30 Mar
'20
3:20 p.m.
On Thu, 2020-03-12 at 11:30 -0500, Shawn M Garringer
via 44Net wrote:
> I am wondering if anyone else is seeing the
following: starting on 5
> March 2020 and continuing through the present I have detected a large
> spike in inbound traffic to several of my AMPR 44 IP addresses (on
> 44.50.1.0/24). The spike has been large enough that my logging ELK
> stack is struggling to keep up.
A good number of folks have seen a spike in scans by
botnets spoofing
IPs but not just on 44-net. Commercial ISPs have seen similar spikes of
traffic and have taken proactive measures to try and halt these brute
force attacks.
I see no visible increase in the traffic graphs for our internet gateway,
but of course I do confirm that there is a continuous stream of port scanning
going on, partly from individuals and partly from jerks like censys.io,
shodan.io, stretchoid.com, binaryedge.ninja etc etc who are continuously
scanning the internet for vulnerabilities and keep searchable databases
where their users can instantly locate who is running e.g. a MikroTik
router when there is a new known vulnerability (of course only when it
its firewall is not properly configured).
All this together is responsible for 1-2 Mbit/s of traffic on our /16.
So yet, it is quite noticable. Of course we do not log all that, but
we do have some auto-block features that trigger when people scan for
wellknown ports (like mentioned above) within unassigned address space.
Rob