Shawn et al;
On Thu, 2020-03-12 at 11:30 -0500, Shawn M Garringer via 44Net wrote:
I am wondering if anyone else is seeing the following: starting on 5 March 2020 and continuing through the present I have detected a large spike in inbound traffic to several of my AMPR 44 IP addresses (on 44.50.1.0/24). The spike has been large enough that my logging ELK stack is struggling to keep up.
A good number of folks have seen a spike in scans by botnets spoofing IPs but not just on 44-net. Commercial ISPs have seen similar spikes of traffic and have taken proactive measures to try and halt these brute force attacks.
Some of the spoofed IPs I've seen include the U.S. military, U.S. postal service, USDA, many universities and municipalities... to name a few. At one point I even caught a 222-net IP try to inject my DNS server with a bogus ampr.org zone file on my public IP. Of course it failed and my firewall bagged it.
The best you can do is tighten your firewall rules so that these spoofs do as little damage as possible.