I have noticed this and especially the strange format of the packets with a SYN/ECE/CWR flag combination: http://pastebin.com/jFCDAmdr
This may be $whoever trying to establish network performance/congestion via ECN or it could be something else like a fast scan technique or OS fingerprinting On Thu, Mar 31, 2016 at 5:50 AM, marcel.duregards--- via NANOG < nanog@nanog.org> wrote: > I can not blame them to not answer to all of the thousands emails > destined to their abuse mailbox. And the goal of my email was not to > call them on public forum, but rather to know how others ops deal with > it, and also if MS (and competitors) have automatic detection of such > 'illegal' traffic, and if not why ?.... > > > > > > On 31.03.2016 10:18, Todd Crane wrote: > > Oh and, > > > > I’m assuming you contacted Microsoft’s abuse? If not, it’s not cool, not > to mention unprofessional, to publicly call them out on such a public forum > without giving them an opportunity to correct it first. > > > >> On Mar 31, 2016, at 1:15 AM, Todd Crane <todd.cr...@n5tech.com> wrote: > >> > >> Marcel > >> > >> Depending on what is on those machines, I would just recommend using > fail2ban. The default is that if an ip address fails ssh auth 3 times in 5 > minutes, their ip gets blocked via iptables for 5 minutes. This is enough > to thwart most scripted attacks, especially those from a certain government > in Asia. This is configurable to various applications, timing schemes, and > blocking/jailing mechanisms. > >> > >> -Todd > >>> On Mar 31, 2016, at 1:02 AM, marcel.duregards--- via NANOG < > nanog@nanog.org> wrote: > >>> > >>> Dear Nanog'er, > >>> > >>> We are facing a lot of port scan and brute force attack on port 22 (but > >>> not limited to) from Microsoft AS 8075 range toward our own infra, or > >>> toward our customers. > >>> We have sent email to ab...@microsoft.com, but no answer. > >>> > >>> source ip are: > >>> NetRange: 40.74.0.0 - 40.125.127.255 > >>> CIDR: 40.74.0.0/15, 40.112.0.0/13, 40.124.0.0/16, > >>> 40.76.0.0/14, 40.80.0.0/12, 40.125.0.0/17, 40.96.0.0/12, 40.120.0.0/14 > >>> NetName: MSFT > >>> > >>> > >>> > >>> We consider port scan and brute force on ssh port as an attack, and > even > >>> as a pre-DDOS phase (could be use to install botnet, detect unpatched > >>> host, and so one). > >>> > >>> It's one thing to propose services and make money over an infra, it's > an > >>> other thing to take care that you clients do not use this infra to make > >>> illegal stuffs. > >>> > >>> > >>> How do you deal with such massive amount of 'illegal' traffic ? > >>> > >>> Thank, > >>> Best Regards > >>> Marcel > >>> > >>> > >>> > >>> > >>> > >>> He are some examples (we have more than 3000 such packets per day just > >>> from them, probably Azure), and source ip is always differents of > course: > >>> > >>> > >>> Flow Filtering Expression > >>> src AS 8075 and dst port 22 and packets=1 > >>> Limit Flows > >>> 40000 > >>> Sorting > >>> By Date > >>> > > >> > > >
