Flattening the curve on abusive ip hosts

nospfIf you run a server doing usually something boring there will be people seeing if they can exploit it (my blog). Some of those attempts are clever and others who be pure incompetent.

Recently i have been black-holing abusive hosts via ip. Once spotted we block them with Failtoban (my blog) who identifies the candidates for ignoring and that monitors the log files said servers make, it not a case of me deciding say that Fuji is a bad place as Truman Burbank lives there as an example there’s logs of inconvenient facts.   Multiple failtoban reports or a large brute force (a large report) are good reasons to null route but if i see an address once in that already bad neighborhood then its a given block as that might be the isp ‘whack a mole’* game.

Twenty days since my last reboot i am not getting the peaks that essentially are from the abusive or might be morons whom should not be running them.

In this listing below a lot of tawian (see 1.163.128.100 and other ranges – orange text) can be found.  Taiwan does not action abuse reports along with the nearby state of China.  Although i occasionally i will  advise hosting firms if they do not bother then i am covered both ways, i certainly would not want one of the addresses i list downwards from here

You will find some these also probably have other blocklist records (my blog) as well.

I really do not care that these people can not do anything on our sites and as this is not an extensive list of the millions of ipv4 addresses shows that is a selected list and if sold as an exclusive food in a posh food shop might be described as the premier cru of some clueless fools or owned folk.  This list is sorted it is not in this format.

1.163.128.100
1.163.128.9
1.163.130.179
1.163.130.63
1.163.130.86
1.163.131.20
1.163.131.20
1.163.132.74
1.163.135.211
1.163.138.100
1.163.139.100
1.163.139.209
1.163.140.238
1.163.141.75
1.163.142.170
1.163.147.164
1.163.148.30
1.163.150.55
1.163.151.163
1.163.152.76
1.163.154.106
1.163.159.24
1.163.160.81
1.163.193.60
1.163.196.238
1.163.196.29
1.163.218.102
1.164.107.241
1.164.107.96
1.164.88.252
1.164.90.222
1.164.91.246
1.164.95.168
1.164.96.62 <- Taiwan
1.34.0.51
1.93.45.211
2.243.252.243
5.39.114.165
12.12.146.26
14.63.213.118
24.227.238.86
31.211.176.42
31.214.139.2
36.224.91.236
37.14.51.242
38.96.148.84
42.121.32.243
46.65.105.136
50.17.40.57
50.19.57.142
50.202.171.113
50.22.1.237
50.57.49.209
54.200.187.145
54.202.68.2
54.205.94.180
54.241.7.7
54.251.61.114  <- amazon web services
61.231.223.49
61.231.81.112
61.231.83.244
62.219.120.35
64.203.126.11
65.254.225.128
65.44.228.178
66.148.120.39
66.216.105.248
66.219.105.248
66.219.105.41
66.219.98.25
67.205.89.115
77.231.181.146
77.253.226.111
79.148.247.154
80.27.1.113
80.28.247.99
80.32.220.45
80.33.198.168
81.36.152.133
82.127.254.61
82.153.192.88
82.221.102.179
82.221.102.181
83.36.49.86
83.46.35.216
85.111.30.10
85.26.253.194
85.33.95.1
85.96.179.159
87.139.213.236
88.2.166.60
88.2.213.17
89.248.160.211
91.135.13.129
91.200.119.197
91.82.88.231
94.242.255.94
95.60.147.228
103.17.2.14
103.17.2.15
103.17.2.6
103.240.165.14
103.240.165.239
103.240.165.96
103.30.14.24
108.170.13.88
108.59.249.232
109.235.251.162
109.52.39.134
109.6.202.53
111.241.28.214
111.248.57.122
111.73.46.140
112.122.11.127
114.41.190.139
114.43.11.83
114.43.8.160
114.44.101.213
114.44.104.209
115.114.14.195
118.169.186.48
120.151.186.122
122.166.41.127
125.139.246.22
133.250.114.240
134.75.32.6
138.91.160.32
138.91.40.158
142.234.53.8
146.185.146.33
151.64.59.139
162.13.89.137
165.228.163.239
173.203.103.141
174.127.126.9
175.119.227.186
177.1.102.23
178.137.162.227
178.33.17.36
180.250.89.155
180.250.89.156
181.167.205.215
182.242.221.165
182.68.125.62
182.73.255.220
182.73.65.42
188.190.98.6
188.219.108.225
188.26.141.105
188.77.48.231
189.45.205.214
192.163.195.117
195.235.208.203
195.56.134.1
195.88.62.132
199.0.186.17
199.115.229.43
199.187.123.84
199.19.110.207
199.30.91.172
200.75.106.28
201.151.139.103
201.173.90.17
203.45.176.80
205.139.9.18
207.150.169.54
207.7.92.99
208.186.201.42
209.217.236.2
212.122.97.98
212.227.251.6
212.36.65.106
212.67.215.114
212.67.215.178
212.67.215.66
212.83.145.35
213.147.104.74
216.17.106.52
216.182.184.17
216.240.190.19
217.13.154.155
217.155.46.224
217.5.191.98
217.64.61.54
217.7.246.33
217.8.255.215
217.8.255.219
217.8.255.221
218.28.116.227
218.64.114.103
219.142.74.32
219.91.206.74
222.36.0.44
222.52.118.209
222.52.118.210
222.52.118.211
222.52.118.212
222.52.118.213
222.52.118.214
222.52.118.215
222.52.118.220
222.52.118.221
222.52.118.222
222.52.118.223
222.52.118.224
222.52.118.225 <- bad neighborhood
223.203.192.114
223.73.9.233

Its worth the work.  If you think that is a lot it is not that is 209 addresses out of millions in the ipv4 scheme – put another way that is under a class c of 255 addresses your router uses  I am sure ip route add blackhole [ipv6] works in some manner too all i need is ipv6 (my blog) which i cannot get without replacing most of the zoos internet things.  Blue addresses should be amazon web services.

I now have a better script that bulk loads these when i do an occasional reboot. So while its not brilliant by still not blocking whole ranges or sub nets it means once your on the list its rather hard to get off it. That script is.

#!/bin/sh
echo “load null routes from blackhole.txt”;
#must have root permisions
N=0
cat blackhole.txt | while read LINE ; do
N=$((N+1))
#echo “Line $N = $LINE”
ip route add blackhole $LINE/32;
done

The problem with a large list of addresses is it is not very clear what the thing was doing so i the future i have a file for ssh attempts, etc and then load those.  A critism i make is that if i leave a blank line (or \n) ip yells that it is wrong.

As this is another much delayed post, and at least a month has past i can tell you that our quota usage (my blog)  is way down, 26 days into a 31 day month 40% of our bandwidth is used.  So yes it is worth it and the script if kept updated keeps the clueless at bay when a reboot is required.

Where are they from –  time for charts!

world

regional

row

europe

asia

country

How did do this the file to read the ip addresses was sent to a geoip lookup, a bit of sorting and charting and you get pretty charts.  Remember these are hosts that hit again and again, single once only reports are not actioned on the whole

Data is below if you want to make your own charts.

Count Country Region Region count
3 Australia aisa
13 India aisa
24 China asia
2 Indonesia asia
1 Japan asia
4 Korea asia
1 Singapore asia
47 Taiwan asia 95
1 Croatia europe
6 France europe
7 Germany europe
2 Hungary europe
2 Iceland europe
4 Italy europe
1 Luxembourg europe
2 Netherlands europe
1 Poland europe
1 Romania europe
18 Spain europe
12 United Kingdom europe 57
1 Israel middle east
2 Turkey middle east 3
1 Canada north america
41 United States north america 42
2 Russian Federation russian federation
2 Ukraine russian federation 4
1 Argentina south america
2 Brazil south america
2 Mexico south america
1 Venezuela south america 6
207 207

To keep attacks straight i have staging file of hosts that have been flagged, add to the file sort it and i have valid hosts to block for example

2.35.128.225
2.35.128.225
2.35.128.225 2 added
12.165.233.2
41.135.220.213
50.194.97.85
50.194.97.85
50.194.97.85 added
63.115.40.56
63.115.40.56 added
63.115.40.56 2
63.117.127.109
63.117.127.109 2
63.141.225.90
68.106.154.166
68.188.72.60
71.169.81.219
71.169.81.219
74.143.13.134
74.143.13.134
74.143.13.134 added
74.143.13.134 4
75.176.164.191 added
75.176.164.191 added
75.176.164.191
75.176.164.191 2
75.176.164.191 3
76.109.95.86
76.5.225.8
76.5.225.8
78.99.247.226
78.99.247.226
79.136.209.196
79.136.209.196
79.136.209.222
84.136.234.223
84.136.234.223
84.183.59.251
84.183.8.216
87.224.78.133
87.224.78.133 added
91.45.156.171
94.95.187.74
95.19.26.192
95.19.26.192
95.6.71.127
96.56.180.218
96.56.180.218
96.56.180.218 added
105.229.230.122
105.229.230.122
148.245.17.19
148.245.17.19
175.136.255.94
175.136.255.94
188.77.56.203
188.81.229.239
188.81.229.239
189.47.132.239
190.219.0.25
190.219.0.25
201.203.113.66
201.203.113.66
201.203.113.66 2
201.203.3.10
203.129.196.26
203.45.38.63
203.45.38.63 added
203.45.38.63
203.45.38.63 3
206.128.125.34
216.229.177.210
216.229.177.210
216.229.177.210
216.229.177.210 added
216.229.177.210 5
223.198.162.119

A single number after the ip indicates a continuous report stream, and added means those hosts have no more access.

No regrets.  Maybe next year i will do this again with new data.

* where an isp is complicit in moving the spammer client arround its infrastructure to avoid dnsbl’s, firewalls.

7 responses

  1. Pingback: bitcoin with or without the fud | Bananas in the Falklands

  2. Pingback: The week that the sasl bots came to visit the zoo | Bananas in the Falklands

  3. Pingback: The bash zero day – not that dangerous imho | Bananas in the Falklands

  4. Pingback: Null routing bh.zain.com (menatelecom) | Bananas in the Falklands

  5. Pingback: The sorry state of dns hosters – or why i went diy | Bananas in the Falklands

  6. Pingback: Stress testing our mail server | Bananas in the Falklands

  7. Pingback: Shields up for dojo.shodan.io | Bananas in the Falklands

by golly but...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s