how to deal with port scan and brute force attack from AS 8075 ?

Dear Nanog'er,

We are facing a lot of port scan and brute force attack on port 22 (but
not limited to) from Microsoft AS 8075 range toward our own infra, or
toward our customers.
We have sent email to abuse@microsoft.com, but no answer.

source ip are:
NetRange: 40.74.0.0 - 40.125.127.255
CIDR: 40.74.0.0/15, 40.112.0.0/13, 40.124.0.0/16,
40.76.0.0/14, 40.80.0.0/12, 40.125.0.0/17, 40.96.0.0/12, 40.120.0.0/14
NetName: MSFT

We consider port scan and brute force on ssh port as an attack, and even
as a pre-DDOS phase (could be use to install botnet, detect unpatched
host, and so one).

It's one thing to propose services and make money over an infra, it's an
other thing to take care that you clients do not use this infra to make
illegal stuffs.

How do you deal with such massive amount of 'illegal' traffic ?

Thank,
Best Regards
Marcel

He are some examples (we have more than 3000 such packets per day just
from them, probably Azure), and source ip is always differents of course:

Flow Filtering Expression
  src AS 8075 and dst port 22 and packets=1
Limit Flows
  40000
Sorting
  By Date

Date_first_seen Duration Proto _IP_Addr:Port
Dst_IP_Addr:Port Flags Packets
2016-02-29 14:55:20.108 0.000 6 104.45.210.69:1160 ->
x.x.231:22 ...... 1
2016-02-29 14:55:20.611 0.000 6 104.45.210.69:1161 ->
x.x.231:22 ...... 1
2016-02-29 14:56:41.004 0.000 6 40.76.55.204:1090 ->
x.x..14:22 ...... 1
2016-02-29 14:56:41.324 0.000 6 40.76.55.204:1091 ->
x.x..14:22 ...... 1
2016-02-29 15:00:05.670 0.000 6 40.76.55.204:1088 ->
x.x.125:22 ...... 1
2016-02-29 15:00:06.003 0.000 6 40.76.55.204:1089 ->
x.x.125:22 ...... 1
2016-02-29 15:01:17.358 0.000 6 40.76.70.58:1168 ->
x.x..80:22 ...... 1
2016-02-29 15:01:17.676 0.000 6 40.76.70.58:1169 ->
x.x..80:22 ...... 1
2016-02-29 15:02:42.637 0.000 6 40.76.55.204:1176 ->
x.x.193:22 ...... 1
2016-02-29 15:02:42.878 0.000 6 40.76.55.204:1177 ->
x.x.193:22 ...... 1
2016-02-29 15:02:48.067 0.000 6 104.45.210.69:1160 ->
x.x.173:22 ...... 1
2016-02-29 15:02:48.394 0.000 6 104.45.210.69:1161 ->
x.x.173:22 ...... 1
2016-02-29 15:03:18.854 0.000 6 40.121.53.153:1041 ->
x.x..88:22 ...... 1
2016-02-29 15:03:19.172 0.000 6 40.121.53.153:1042 ->
x.x..88:22 ...... 1
2016-02-29 15:06:36.248 0.000 6 40.76.55.204:1056 ->
x.x..45:22 ...... 1
2016-02-29 15:07:31.882 0.000 6 40.76.80.17:44895 ->
x.x..75:22 ...... 1
2016-02-29 15:07:32.245 0.000 6 40.76.80.17:44896 ->
x.x..75:22 ...... 1
2016-02-29 15:09:08.433 0.000 6 40.76.70.58:1168 ->
x.x..31:22 ...... 1
2016-02-29 15:09:08.744 0.000 6 40.76.70.58:1169 ->
x.x..31:22 ...... 1
2016-02-29 15:11:45.668 0.000 6 40.76.80.17:47993 ->
x.x.157:22 ...... 1
2016-02-29 15:11:45.987 0.000 6 40.76.80.17:47994 ->
x.x.157:22 ...... 1
2016-02-29 15:12:09.543 0.000 6 40.76.70.58:1168 ->
x.x..24:22 ...... 1
2016-02-29 15:12:09.925 0.000 6 40.76.70.58:1169 ->
x.x..24:22 ...... 1
2016-02-29 15:17:05.920 0.000 6 40.76.70.58:1168 ->
x.x.243:22 ...... 1
2016-02-29 15:17:06.241 0.000 6 40.76.70.58:1169 ->
x.x.243:22 ...... 1
2016-02-29 15:19:21.364 0.000 6 40.83.121.211:62936 ->
x.x..81:22 ...... 1
2016-02-29 15:19:21.704 0.000 6 40.83.121.211:62937 ->
x.x..81:22 ...... 1
2016-02-29 15:19:45.891 0.000 6 40.76.70.58:1168 ->
x.x..39:22 ...... 1
2016-02-29 15:19:46.273 0.000 6 40.76.70.58:1169 ->
x.x..39:22 ...... 1
2016-02-29 15:21:52.030 0.000 6 40.76.70.58:1168 ->
x.x.120:22 ...... 1
2016-02-29 15:21:52.349 0.000 6 40.76.70.58:1169 ->
x.x.120:22 ...... 1
2016-02-29 15:24:07.614 0.000 6 40.76.55.204:1048 ->
x.x.237:22 ...... 1
2016-02-29 15:24:07.933 0.000 6 40.76.55.204:1128 ->
x.x.237:22 ...... 1
2016-02-29 15:27:31.289 0.000 6 40.121.53.153:1041 ->
x.x.133:22 ...... 1
2016-02-29 15:27:31.544 0.000 6 40.121.53.153:1042 ->
x.x.133:22 ...... 1
2016-02-29 15:27:59.120 0.000 6 40.76.70.58:1168 ->
x.x.9.3:22 ...... 1
2016-02-29 15:27:59.440 0.000 6 40.76.70.58:1169 ->
x.x.9.3:22 ...... 1
2016-02-29 15:29:30.933 0.000 6 40.76.70.58:1168 ->
x.x.211:22 ...... 1
2016-02-29 15:29:31.031 0.000 6 40.76.70.58:1169 ->
x.x.211:22 ...... 1
2016-02-29 15:29:33.729 0.000 6 40.76.55.204:1142 ->
x.x.166:22 ...... 1
2016-02-29 15:29:34.032 0.000 6 40.76.55.204:1143 ->
x.x.166:22 ...... 1
2016-02-29 15:31:41.947 0.000 6 40.76.70.58:1168 ->
x.x.137:22 ...... 1
2016-02-29 15:31:42.266 0.000 6 40.76.70.58:1169 ->
x.x.137:22 ...... 1
2016-02-29 15:32:10.044 0.000 6 40.121.53.153:1041 ->
x.x..71:22 ...... 1
2016-02-29 15:32:10.348 0.000 6 40.121.53.153:1042 ->
x.x..71:22 ...... 1
2016-02-29 15:32:10.442 0.000 6 104.45.210.69:1161 ->
x.x.246:22 ...... 1
2016-02-29 15:32:10.475 0.000 6 104.45.210.69:1160 ->
x.x.246:22 ...... 1
2016-02-29 15:32:29.165 0.000 6 40.121.143.132:1040 ->
x.x..62:22 ...... 1
2016-02-29 15:32:29.466 0.000 6 40.121.143.132:1041 ->
x.x..62:22 ...... 1
2016-02-29 15:37:07.616 0.000 6 40.76.80.17:56902 ->
x.x..51:22 ...... 1
2016-02-29 15:37:07.925 0.000 6 40.76.80.17:56903 ->
x.x..51:22 ...... 1
2016-02-29 15:40:04.546 0.000 6 40.121.53.153:1041 ->
x.x.186:22 ...... 1
2016-02-29 15:40:04.866 0.000 6 40.121.53.153:1042 ->
x.x.186:22 ...... 1
2016-02-29 15:40:28.870 0.000 6 40.76.70.58:1168 ->
x.x.171:22 ...... 1
2016-02-29 15:40:29.125 0.000 6 40.76.70.58:1169 ->
x.x.171:22 ...... 1
2016-02-29 15:41:57.034 0.000 6 40.76.55.204:1128 ->
x.x.181:22 ...... 1
2016-02-29 15:41:57.354 0.000 6 40.76.55.204:1176 ->
x.x.181:22 ...... 1

2016-02-29 16:55:49.183 0.000 6 40.117.96.192:1120 ->
x.x.163:22 ...... 1
2016-02-29 16:55:49.183 0.000 6 40.117.96.192:1120 ->
x.x.176:22 ...... 1
2016-02-29 16:55:49.183 0.000 6 40.117.96.192:1120 ->
x.x.206:22 ...... 1
2016-02-29 16:55:49.183 0.000 6 40.117.96.192:1120 ->
x.x.158:22 ...... 1
2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 ->
x.x.185:22 ...... 1
2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 ->
x.x.251:22 ...... 1
2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 ->
x.x.255:22 ...... 1
2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 ->
x.x.141:22 ...... 1
2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 ->
x.x.136:22 ...... 1
2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 ->
x.x.235:22 ...... 1
2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 ->
x.x.242:22 ...... 1
2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 ->
x.x.240:22 ...... 1
2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 ->
x.x.100:22 ...... 1
2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 ->
x.x.244:22 ...... 1
2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 ->
x.x.217:22 ...... 1
2016-02-29 16:55:49.186 0.000 6 40.117.96.192:1120 ->
x.x..72:22 ...... 1
2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 ->
x.x.221:22 ...... 1
2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 ->
x.x.5.4:22 ...... 1
2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 ->
x.x.150:22 ...... 1
2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 ->
x.x.145:22 ...... 1
2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 ->
x.x.119:22 ...... 1
2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 ->
x.x..52:22 ...... 1
2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 ->
x.x..75:22 ...... 1
2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 ->
x.x.127:22 ...... 1
2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 ->
x.x..22:22 ...... 1
2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 ->
x.x..77:22 ...... 1
2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 ->
x.x.246:22 ...... 1
2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 ->
x.x.137:22 ...... 1
2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 ->
x.x..85:22 ...... 1
2016-02-29 16:55:49.187 0.000 6 40.117.96.192:1120 ->
x.x..35:22 ...... 1

How do you deal with such massive amount of 'illegal' traffic ?

Move SSH to a different port. Better yet, use IPv6 only

Robert

Marcel

Depending on what is on those machines, I would just recommend using fail2ban. The default is that if an ip address fails ssh auth 3 times in 5 minutes, their ip gets blocked via iptables for 5 minutes. This is enough to thwart most scripted attacks, especially those from a certain government in Asia. This is configurable to various applications, timing schemes, and blocking/jailing mechanisms.

-Todd

Oh and,

I’m assuming you contacted Microsoft’s abuse? If not, it’s not cool, not to mention unprofessional, to publicly call them out on such a public forum without giving them an opportunity to correct it first.

I must have missed that… my bad.

I would ignore the portscans since there is nothing wrong with portscanning
the Internet.

Install fail2ban {don't forgot to whitelist your management static IPs}.

You may want to increase the default bantime and findtime {how far back to
search logs}.

I can not blame them to not answer to all of the thousands emails
destined to their abuse mailbox. And the goal of my email was not to
call them on public forum, but rather to know how others ops deal with
it, and also if MS (and competitors) have automatic detection of such
'illegal' traffic, and if not why ?....

I have noticed this and especially the strange format of the packets with a
SYN/ECE/CWR flag combination: http://pastebin.com/jFCDAmdr

This may be $whoever trying to establish network performance/congestion via
ECN or it could be something else like a fast scan technique or OS
fingerprinting

Use IPv6, bind a second address to the device. Enable on a random port, on
this new address. Remove ssh from the other IP address.

Joe Klein
"Inveniam viam aut faciam"

PGP Fingerprint: 295E 2691 F377 C87D 2841 00C1 4174 FEDF 8ECF 0CC8

Maybe not super useful in your case but talking about SSH the sysadmin
solution would be to disable password login and use just keys.

Also, as someone else said, fail2ban... because it's a lot of fun.

Ciao,
Davide

So explain to me why you don't have ACLs that silently drop inbound SYN
packets on port 22 from outside your allocated address space? (And if
you can't do it at your border because you sub-allocate address space
to customers, figure out how to use iptables or similar to block it on
the target hosts, or only apply the ACL for your own subnets).

If you have a *legitimate* business case for needing to SSH in from outside,
there are fine products such as OpenVPN (and not-so-fine like the one we
have in production - although it's mostly usable too, and achieves the goal
of presenting you as being inside our corporate address space)

Also, move your SSH service to some port other than 22, and consider
putting 'Password Authentication no/PubKeyAuthentication yes' in your
sshd_config.

I admit never understanding why people run their systems in a low-hanging
fruit configuration, and then are surprised that miscreants go looking for
low hanging fruit.

(For the record, our border routers drop inbound SYN on port 22 on *both*
ipv4 and ipv6 address spaces. It's amazing how few brute force
attempts we see on our servers...

You could use Shields Up to view your vulnerabilities... obvious ones, and remedy... Cyrus Ramirez

We consider port scan and brute force on ssh port as an attack, and even

So explain to me why you don't have ACLs that silently drop inbound SYN
packets on port 22 from outside your allocated address space? (And if
you can't do it at your border because you sub-allocate address space
to customers, figure out how to use iptables or similar to block it on
the target hosts, or only apply the ACL for your own subnets).

If you have a *legitimate* business case for needing to SSH in from outside,
there are fine products such as OpenVPN (and not-so-fine like the one we
have in production - although it's mostly usable too, and achieves the goal
of presenting you as being inside our corporate address space)

Also, move your SSH service to some port other than 22, and consider
putting 'Password Authentication no/PubKeyAuthentication yes' in your
sshd_config.

I admit never understanding why people run their systems in a low-hanging
fruit configuration, and then are surprised that miscreants go looking for
low hanging fruit.

(For the record, our border routers drop inbound SYN on port 22 on *both*
ipv4 and ipv6 address spaces. It's amazing how few brute force
attempts we see on our servers...

hi nanog'ers

> We consider port scan and brute force on ssh port as an attack, and even

...

(For the record, our border routers drop inbound SYN on port 22 on *both*
ipv4 and ipv6 address spaces. It's amazing how few brute force
attempts we see on our servers...

i think the best way, ( imho ) to discourage random incoming ssh connections
or anything else ( tcp-based ) is to run tarpit on ALL tcp based ports ...
  one obviously would allow incoming 25/tcp traffic to mail servers
  and incoming 80/tcp to web servers, etc etc, but otherwise, all
  other incoming tcp ports gets unconditionally tarpit'd

  we used to get hundreds of thousands of garbage tcp connections per minute
  which basically disappeared after running tarpits as needed

  and the attackers ( port scanners ) pay a penalty for sending useless
  packets to tarpit'd ports

fail2ban/etc is okay but it's too limited since i want to deny all tcp connections
and specifically only allow certain incoming traffic which is trivial to
implement with iptables + tarpits

/dev/null incoming packets is okay but it still occupied time/space/buffers
in the pipe and the attackers didn't feel any pain for sending the packets

doing ddos mitigation for your own IP# space is fairly easy to create
various policies ... doing the ddos mitigation for your customers down
the line using your routers can be tricky business and very messy if
either the customer nor isp doesn't change something ( aka more $$$ )

magic pixie dust
alvin
DDoS-Mitigator.net

It's OS fingerprinting. Targeted attacks are far more productive. If
I'm trying to get into an organization, I'd much rather be interested
in Juniper ScreenOS than someone's personal *nix machine.

Brandon Vincent

They should always just use Shodan.

https://www.shodan.io/explore

You might want to check with your lawyer on that. If you
_intentionally_ port-scan a computer located in Virginia without the
owner's permission (and do nothing else, just port-scan it) it's a
class 3 misdemeanor under 18.2-152.1, et seq. That's up to a $500 fine
for each computer you scan. By comparison, shoplifting is a class 1
misdemeanor while possession of a schedule V narcotic is another class
3.

A key word here is "intentionally." Poking at it by mistake (e.g. you
thought it was a different computer which you had the authority to
scan) is not a crime. Nor, most likely, is less aggressive behavior
which would not ordinarily be part of gaining unauthorized access,
such as pinging or tracerouting.

Not that I've ever heard of someone being fined but you're definitely
in to "something wrong" territory.

Regards,
Bill Herrin

I would ignore the portscans since there is nothing wrong with portscanning
the Internet.

You might want to check with your lawyer on that. If you
_intentionally_ port-scan a computer located in Virginia without the
owner's permission (and do nothing else, just port-scan it) it's a
class 3 misdemeanor under 18.2-152.1, et seq. That's up to a $500 fine
for each computer you scan. By comparison, shoplifting is a class 1
misdemeanor while possession of a schedule V narcotic is another class
3.

I think you’re on shaky ground here.

18.2-152.3 reads:

Any person who uses a computer or computer network, without authority and:
1. Obtains property or services by false pretenses;
2. Embezzles or commits larceny; or
3. Converts the property of another;
is guilty of the crime of computer fraud.
If the value of the property or services obtained is $200 or more, the crime of computer fraud shall be punishable as a Class 5 felony. Where the value of the property or services obtained is less than $200, the crime of computer fraud shall be punishable as a Class 1 misdemeanor.

The requirements here are to meet at least one of the 3 tests listed.

I think it’s rather hard to claim that a portscan by itself “obtained property or services by false pretenses”.
I think it’s even harder to claim that it constitutes “embezzling” or “larceny”.
I also think you’d have a tough time arguing that eliciting a response packet to one or more packets actually constitutes conversion of property.

So I don’t see how you’d make much of a case for a port-scan being a violation of 18.2-152.1 et. seq.

I think the argument, rather easily, could be made that a port-scan is the internet equivalent of a door-knock. By itself, it doesn’t constitute unlawful entry. Now, a persistent door-knock might constitute some form of harassment and frequent or continuous port-scans could be argued to be a form of denial of service (which would constitute conversion), but the odd port-scan is unlikely to meet the tests under the law you cited.

A key word here is "intentionally." Poking at it by mistake (e.g. you
thought it was a different computer which you had the authority to
scan) is not a crime. Nor, most likely, is less aggressive behavior
which would not ordinarily be part of gaining unauthorized access,
such as pinging or tracerouting.

I could be wrong, IANAL, but I’d be surprised if a mere portscan would actually be treated as a violation for the reasons cited above.

Not that I've ever heard of someone being fined but you're definitely
in to "something wrong" territory.

I don’t think you’ve made your case for “definite” so far. I agree you might be at risk from an overzealous prosecutor and an activist judge that hates hackers for some reason, but short of that, I think you’re unlikely to run afoul of this statute just on a port scan.

Owen

my experience in talking to the DoJ in the US is this is not going to illicit any sort of a response.

I will say that the number of people who “set up a tool” to watch for activity then claim things like a DNS packet or backscatter from DDoS represent a log-on attempt generates the most amusing email to read.

- Jared

That's computer fraud. You want § 18.2-152.4, computer trespass.

-Bill

I worked forward (et. seq.) from where you started… However…

18.2-152.4 <http://law.justia.com/codes/virginia/2006/toc1802000/18.2-152.4.html>. Computer trespass; penalty.

A. It shall be unlawful for any person, with malicious intent, to:

1. Temporarily or permanently remove, halt, or otherwise disable any computerdata, computer programs or computer software from a computer or computernetwork;

2. Cause a computer to malfunction, regardless of how long the malfunctionpersists;

3. Alter, disable, or erase any computer data, computer programs or computersoftware;

4. Effect the creation or alteration of a financial instrument or of anelectronic transfer of funds;

5. Use a computer or computer network to cause physical injury to theproperty of another; or

6. Use a computer or computer network to make or cause to be made anunauthorized copy, in any form, including, but not limited to, any printed orelectronic form of computer data, computer programs or computer softwareresiding in, communicated by, or produced by a computer or computer network.

7. [Repealed.]

B. Any person who violates this section shall be guilty of computer trespass,which offense shall be punishable as a Class 1 misdemeanor. If there isdamage to the property of another valued at $1,000 or more caused by suchperson's act in violation of this section, the offense shall be punishable asa Class 6 felony.

C. Nothing in this section shall be construed to interfere with or prohibitterms or conditions in a contract or license related to computers, computerdata, computer networks, computer operations, computer programs, computerservices, or computer software or to create any liability by reason of termsor conditions adopted by, or technical measures implemented by, aVirginia-based electronic mail service provider to prevent the transmissionof unsolicited electronic mail in violation of this article. Nothing in thissection shall be construed to prohibit the monitoring of computer usage of,the otherwise lawful copying of data of, or the denial of computer orInternet access to a minor by a parent or legal guardian of the minor.

Doesn’t really seem to fit the bill, either.

First, I think you have a hard time proving “malicious intent” from just a port scan without other activity.

However, even if you do, it’s hard to imagine how a port scan would meet any of the 6 tests stated.

Care to try again?

Owen