Flattening the curve on abusive ip hosts

nospfIf you run a server doing usually something boring there will be people seeing if they can exploit it (my blog). Some of those attempts are clever and others who be pure incompetent.

Recently i have been black-holing abusive hosts via ip. Once spotted we block them with Failtoban (my blog) who identifies the candidates for ignoring and that monitors the log files said servers make, it not a case of me deciding say that Fuji is a bad place as Truman Burbank lives there as an example there’s logs of inconvenient facts.   Multiple failtoban reports or a large brute force (a large report) are good reasons to null route but if i see an address once in that already bad neighborhood then its a given block as that might be the isp ‘whack a mole’* game.

Twenty days since my last reboot i am not getting the peaks that essentially are from the abusive or might be morons whom should not be running them.

In this listing below a lot of tawian (see and other ranges – orange text) can be found.  Taiwan does not action abuse reports along with the nearby state of China.  Although i occasionally i will  advise hosting firms if they do not bother then i am covered both ways, i certainly would not want one of the addresses i list downwards from here

You will find some these also probably have other blocklist records (my blog) as well.

I really do not care that these people can not do anything on our sites and as this is not an extensive list of the millions of ipv4 addresses shows that is a selected list and if sold as an exclusive food in a posh food shop might be described as the premier cru of some clueless fools or owned folk.  This list is sorted it is not in this format. <- Taiwan  <- amazon web services <- bad neighborhood

Its worth the work.  If you think that is a lot it is not that is 209 addresses out of millions in the ipv4 scheme – put another way that is under a class c of 255 addresses your router uses  I am sure ip route add blackhole [ipv6] works in some manner too all i need is ipv6 (my blog) which i cannot get without replacing most of the zoos internet things.  Blue addresses should be amazon web services.

I now have a better script that bulk loads these when i do an occasional reboot. So while its not brilliant by still not blocking whole ranges or sub nets it means once your on the list its rather hard to get off it. That script is.

echo “load null routes from blackhole.txt”;
#must have root permisions
cat blackhole.txt | while read LINE ; do
#echo “Line $N = $LINE”
ip route add blackhole $LINE/32;

The problem with a large list of addresses is it is not very clear what the thing was doing so i the future i have a file for ssh attempts, etc and then load those.  A critism i make is that if i leave a blank line (or \n) ip yells that it is wrong.

As this is another much delayed post, and at least a month has past i can tell you that our quota usage (my blog)  is way down, 26 days into a 31 day month 40% of our bandwidth is used.  So yes it is worth it and the script if kept updated keeps the clueless at bay when a reboot is required.

Where are they from –  time for charts!







How did do this the file to read the ip addresses was sent to a geoip lookup, a bit of sorting and charting and you get pretty charts.  Remember these are hosts that hit again and again, single once only reports are not actioned on the whole

Data is below if you want to make your own charts.

Count Country Region Region count
3 Australia aisa
13 India aisa
24 China asia
2 Indonesia asia
1 Japan asia
4 Korea asia
1 Singapore asia
47 Taiwan asia 95
1 Croatia europe
6 France europe
7 Germany europe
2 Hungary europe
2 Iceland europe
4 Italy europe
1 Luxembourg europe
2 Netherlands europe
1 Poland europe
1 Romania europe
18 Spain europe
12 United Kingdom europe 57
1 Israel middle east
2 Turkey middle east 3
1 Canada north america
41 United States north america 42
2 Russian Federation russian federation
2 Ukraine russian federation 4
1 Argentina south america
2 Brazil south america
2 Mexico south america
1 Venezuela south america 6
207 207

To keep attacks straight i have staging file of hosts that have been flagged, add to the file sort it and i have valid hosts to block for example 2 added added added 2 2 added 4 added added 2 3 added added 2 added 3 added 5

A single number after the ip indicates a continuous report stream, and added means those hosts have no more access.

No regrets.  Maybe next year i will do this again with new data.

* where an isp is complicit in moving the spammer client arround its infrastructure to avoid dnsbl’s, firewalls.

7 responses

  1. Pingback: bitcoin with or without the fud | Bananas in the Falklands

  2. Pingback: The week that the sasl bots came to visit the zoo | Bananas in the Falklands

  3. Pingback: The bash zero day – not that dangerous imho | Bananas in the Falklands

  4. Pingback: Null routing bh.zain.com (menatelecom) | Bananas in the Falklands

  5. Pingback: The sorry state of dns hosters – or why i went diy | Bananas in the Falklands

  6. Pingback: Stress testing our mail server | Bananas in the Falklands

  7. Pingback: Shields up for dojo.shodan.io | Bananas in the Falklands

by golly but...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s