Re: [44net] Large increase in inbound suspicious traffic from public internet to systems on 44 net?
On Thu, 2020-03-12 at 11:30 -0500, Shawn M Garringer via 44Net wrote:
I am wondering if anyone else is seeing the following: starting on 5 March 2020 and continuing through the present I have detected a large spike in inbound traffic to several of my AMPR 44 IP addresses (on 44.50.1.0/24). The spike has been large enough that my logging ELK stack is struggling to keep up.
A good number of folks have seen a spike in scans by botnets spoofing IPs but not just on 44-net. Commercial ISPs have seen similar spikes of traffic and have taken proactive measures to try and halt these brute force attacks.
I see no visible increase in the traffic graphs for our internet gateway, but of course I do confirm that there is a continuous stream of port scanning going on, partly from individuals and partly from jerks like censys.io, shodan.io, stretchoid.com, binaryedge.ninja etc etc who are continuously scanning the internet for vulnerabilities and keep searchable databases where their users can instantly locate who is running e.g. a MikroTik router when there is a new known vulnerability (of course only when it its firewall is not properly configured).
All this together is responsible for 1-2 Mbit/s of traffic on our /16. So yet, it is quite noticable. Of course we do not log all that, but we do have some auto-block features that trigger when people scan for wellknown ports (like mentioned above) within unassigned address space.
Rob
Now after you mention I have checked the Graphes of my router and there is a increase in the data The router was rebooted after 5 march so i dont know when it started you can look on the Tunnel interfave graphs in my router if thats help you on the following address http://44.138.1.1/graphs/iface/UCSD/
also the UCSD AMPRNET router has a statistic page that you can look there also and see Ronen - 4Z4ZQ
________________________________ From: 44Net 44net-bounces+ronenp=hotmail.com@mailman.ampr.org on behalf of Rob Janssen via 44Net 44net@mailman.ampr.org Sent: Monday, March 30, 2020 12:20 PM To: 44net@mailman.ampr.org 44net@mailman.ampr.org Cc: Rob Janssen pe1chl@amsat.org Subject: Re: [44net] Large increase in inbound suspicious traffic from public internet to systems on 44 net?
On Thu, 2020-03-12 at 11:30 -0500, Shawn M Garringer via 44Net wrote:
I am wondering if anyone else is seeing the following: starting on 5 March 2020 and continuing through the present I have detected a large spike in inbound traffic to several of my AMPR 44 IP addresses (on 44.50.1.0/24). The spike has been large enough that my logging ELK stack is struggling to keep up.
A good number of folks have seen a spike in scans by botnets spoofing IPs but not just on 44-net. Commercial ISPs have seen similar spikes of traffic and have taken proactive measures to try and halt these brute force attacks.
I see no visible increase in the traffic graphs for our internet gateway, but of course I do confirm that there is a continuous stream of port scanning going on, partly from individuals and partly from jerks like censys.io, shodan.io, stretchoid.com, binaryedge.ninja etc etc who are continuously scanning the internet for vulnerabilities and keep searchable databases where their users can instantly locate who is running e.g. a MikroTik router when there is a new known vulnerability (of course only when it its firewall is not properly configured).
All this together is responsible for 1-2 Mbit/s of traffic on our /16. So yet, it is quite noticable. Of course we do not log all that, but we do have some auto-block features that trigger when people scan for wellknown ports (like mentioned above) within unassigned address space.
Rob
_________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net
-
R P -
Rob Janssen