Re: [44net] Large increase in inbound suspicious traffic from public internet to systems on 44 net?
30 Mar
2020
30 Mar
'20
8:20 p.m.
On Thu, 2020-03-12 at 11:30 -0500, Shawn M Garringer
via 44Net wrote:
> I am wondering if anyone else is seeing the
following: starting on 5
> March 2020 and continuing through the present I have detected a large
> spike in inbound traffic to several of my AMPR 44 IP addresses (on
> 44.50.1.0/24). The spike has been large enough that my logging ELK
> stack is struggling to keep up.
A good number of folks have seen a spike in scans by
botnets spoofing
IPs but not just on 44-net. Commercial ISPs have seen similar spikes of
traffic and have taken proactive measures to try and halt these brute
force attacks.
I see no visible increase in the traffic graphs for our internet gateway,
but of course I do confirm that there is a continuous stream of port scanning
going on, partly from individuals and partly from jerks like censys.io,
shodan.io, stretchoid.com, binaryedge.ninja etc etc who are continuously
scanning the internet for vulnerabilities and keep searchable databases
where their users can instantly locate who is running e.g. a MikroTik
router when there is a new known vulnerability (of course only when it
its firewall is not properly configured).
All this together is responsible for 1-2 Mbit/s of traffic on our /16.
So yet, it is quite noticable. Of course we do not log all that, but
we do have some auto-block features that trigger when people scan for
wellknown ports (like mentioned above) within unassigned address space.
Rob
31 Mar
31 Mar
6:28 a.m.
New subject: Large increase in inbound suspicious traffic from public internet to systems on 44 net?
Now after you mention I have checked the Graphes of my router and there is a increase in
the data
The router was rebooted after 5 march so i dont know when it started
you can look on the Tunnel interfave graphs in my router if thats help you on the
following address
http://44.138.1.1/graphs/iface/UCSD/
also the UCSD AMPRNET router has a statistic page that you can look there also and see
Ronen - 4Z4ZQ
________________________________
From: 44Net <44net-bounces+ronenp=hotmail.com(a)mailman.ampr.org> on behalf of Rob
Janssen via 44Net <44net(a)mailman.ampr.org>
Sent: Monday, March 30, 2020 12:20 PM
To: 44net(a)mailman.ampr.org <44net(a)mailman.ampr.org>
Cc: Rob Janssen <pe1chl(a)amsat.org>
Subject: Re: [44net] Large increase in inbound suspicious traffic from public internet to
systems on 44 net?
On Thu, 2020-03-12 at 11:30 -0500, Shawn M Garringer
via 44Net wrote:
> I am wondering if anyone else is seeing the
following: starting on 5
> March 2020 and continuing through the present I have detected a large
> spike in inbound traffic to several of my AMPR 44 IP addresses (on
> 44.50.1.0/24). The spike has been large enough that my logging ELK
> stack is struggling to keep up.
A good number of folks have seen a spike in scans by
botnets spoofing
IPs but not just on 44-net. Commercial ISPs have seen similar spikes of
traffic and have taken proactive measures to try and halt these brute
force attacks.
I see no visible increase in the traffic graphs for our internet gateway,
but of course I do confirm that there is a continuous stream of port scanning
going on, partly from individuals and partly from jerks like censys.io,
shodan.io, stretchoid.com, binaryedge.ninja etc etc who are continuously
scanning the internet for vulnerabilities and keep searchable databases
where their users can instantly locate who is running e.g. a MikroTik
router when there is a new known vulnerability (of course only when it
its firewall is not properly configured).
All this together is responsible for 1-2 Mbit/s of traffic on our /16.
So yet, it is quite noticable. Of course we do not log all that, but
we do have some auto-block features that trigger when people scan for
wellknown ports (like mentioned above) within unassigned address space.
Rob
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net
1496
days inactive
1497
days old
1 comments
2 participants
participants (2)
-
R P -
Rob Janssen