We have actively started to block 23/tcp to our customer's CPEs.... Huge amounts of connection attempts / scans over our prefixes. All IPv4, zero on IPv6 (not yet at least).
On Wed, Nov 16, 2016 at 8:12 PM, Otto Monnig <omon...@gmail.com> wrote: > We’ve been monitoring/logging/blocking ports 23 and 2323 at our site for > the past several weeks, after remediating a 60-75 Mbps attack on a 100 Mbps > fiber feed. > > On port 23, we have accumulated 377,319 different IP addresses hitting our > systems. For port 2323, 42,913 different IP addresses. > > The addresses are widely distributed, making aggregation nearly impossible. > > Below is a list of offending subnets, ranked by number of offenders > (powers of 2), sorry for the length. > > 14.0.0.0/8 16384 > 78.0.0.0/8 8192 > 113.0.0.0/8 8192 > 117.0.0.0/8 8192 > 122.0.0.0/8 8192 > 177.0.0.0/8 8192 > 179.0.0.0/8 8192 > 186.0.0.0/8 8192 > 187.0.0.0/8 8192 > 189.0.0.0/8 8192 > 190.0.0.0/8 8192 > 201.0.0.0/8 8192 > 1.0.0.0/8 4096 > 5.0.0.0/8 4096 > 27.0.0.0/8 4096 > 36.0.0.0/8 4096 > 37.0.0.0/8 4096 > 41.0.0.0/8 4096 > 42.0.0.0/8 4096 > 46.0.0.0/8 4096 > 49.0.0.0/8 4096 > 59.0.0.0/8 4096 > 79.0.0.0/8 4096 > 82.0.0.0/8 4096 > 88.0.0.0/8 4096 > 89.0.0.0/8 4096 > 95.0.0.0/8 4096 > 109.0.0.0/8 4096 > 110.0.0.0/8 4096 > 112.0.0.0/8 4096 > 114.0.0.0/8 4096 > 116.0.0.0/8 4096 > 118.0.0.0/8 4096 > 119.0.0.0/8 4096 > 121.0.0.0/8 4096 > 123.0.0.0/8 4096 > 124.0.0.0/8 4096 > 171.0.0.0/8 4096 > 175.0.0.0/8 4096 > 176.0.0.0/8 4096 > 178.0.0.0/8 4096 > 180.0.0.0/8 4096 > 181.0.0.0/8 4096 > 182.0.0.0/8 4096 > 183.0.0.0/8 4096 > 191.0.0.0/8 4096 > 200.0.0.0/8 4096 > 220.0.0.0/8 4096 > 31.0.0.0/8 2048 > 58.0.0.0/8 2048 > 60.0.0.0/8 2048 > 61.0.0.0/8 2048 > 77.0.0.0/8 2048 > 80.0.0.0/8 2048 > 81.0.0.0/8 2048 > 83.0.0.0/8 2048 > 85.0.0.0/8 2048 > 86.0.0.0/8 2048 > 87.0.0.0/8 2048 > 91.0.0.0/8 2048 > 92.0.0.0/8 2048 > 93.0.0.0/8 2048 > 94.0.0.0/8 2048 > 103.0.0.0/8 2048 > 111.0.0.0/8 2048 > 115.0.0.0/8 2048 > 120.0.0.0/8 2048 > 125.0.0.0/8 2048 > 151.0.0.0/8 2048 > 188.0.0.0/8 2048 > 213.0.0.0/8 2048 > 218.0.0.0/8 2048 > 222.0.0.0/8 2048 > 223.0.0.0/8 2048 > 3.0.0.0/8 1024 > 6.0.0.0/8 1024 > 7.0.0.0/8 1024 > 9.0.0.0/8 1024 > 11.0.0.0/8 1024 > 15.0.0.0/8 1024 > 16.0.0.0/8 1024 > 17.0.0.0/8 1024 > 19.0.0.0/8 1024 > 20.0.0.0/8 1024 > 21.0.0.0/8 1024 > 22.0.0.0/8 1024 > 24.0.0.0/8 1024 > 25.0.0.0/8 1024 > 26.0.0.0/8 1024 > 28.0.0.0/8 1024 > 29.0.0.0/8 1024 > 30.0.0.0/8 1024 > 33.0.0.0/8 1024 > 34.0.0.0/8 1024 > 39.0.0.0/8 1024 > 44.0.0.0/8 1024 > 48.0.0.0/8 1024 > 53.0.0.0/8 1024 > 55.0.0.0/8 1024 > 56.0.0.0/8 1024 > 57.0.0.0/8 1024 > 62.0.0.0/8 1024 > 84.0.0.0/8 1024 > 101.0.0.0/8 1024 > 102.0.0.0/8 1024 > 106.0.0.0/8 1024 > 185.0.0.0/8 1024 > 193.0.0.0/8 1024 > 194.0.0.0/8 1024 > 195.0.0.0/8 1024 > 197.0.0.0/8 1024 > 202.0.0.0/8 1024 > 203.0.0.0/8 1024 > 210.0.0.0/8 1024 > 211.0.0.0/8 1024 > 212.0.0.0/8 1024 > 214.0.0.0/8 1024 > 215.0.0.0/8 1024 > 217.0.0.0/8 1024 > 219.0.0.0/8 1024 > 221.0.0.0/8 1024 > 2.0.0.0/8 512 > 43.0.0.0/8 512 > 45.0.0.0/8 512 > 47.0.0.0/8 512 > 50.0.0.0/8 512 > 70.0.0.0/8 512 > 71.0.0.0/8 512 > 72.0.0.0/8 512 > 73.0.0.0/8 512 > 90.0.0.0/8 512 > 96.0.0.0/8 512 > 105.0.0.0/8 512 > 108.0.0.0/8 512 > 134.0.0.0/8 512 > 138.0.0.0/8 512 > 139.0.0.0/8 512 > 152.0.0.0/8 512 > 167.0.0.0/8 512 > 173.0.0.0/8 512 > 64.0.0.0/8 256 > 66.0.0.0/8 256 > 67.0.0.0/8 256 > 68.0.0.0/8 256 > 69.0.0.0/8 256 > 74.0.0.0/8 256 > 75.0.0.0/8 256 > 76.0.0.0/8 256 > 98.0.0.0/8 256 > 104.0.0.0/8 256 > 150.0.0.0/8 256 > 159.0.0.0/8 256 > 168.0.0.0/8 256 > 174.0.0.0/8 256 > 192.0.0.0/8 256 > 196.0.0.0/8 256 > 216.0.0.0/8 256 > 23.0.0.0/8 128 > 65.0.0.0/8 128 > 97.0.0.0/8 128 > 100.0.0.0/8 128 > 107.0.0.0/8 128 > 128.0.0.0/8 128 > 130.0.0.0/8 128 > 131.0.0.0/8 128 > 140.0.0.0/8 128 > 141.0.0.0/8 128 > 149.0.0.0/8 128 > 153.0.0.0/8 128 > 154.0.0.0/8 128 > 160.0.0.0/8 128 > 161.0.0.0/8 128 > 162.0.0.0/8 128 > 163.0.0.0/8 128 > 170.0.0.0/8 128 > 172.0.0.0/8 128 > 184.0.0.0/8 128 > 198.0.0.0/8 128 > 207.0.0.0/8 128 > 208.0.0.0/8 128 > 209.0.0.0/8 128 > 4.0.0.0/8 64 > 8.0.0.0/8 64 > 12.0.0.0/8 64 > 13.0.0.0/8 64 > 18.0.0.0/8 64 > 32.0.0.0/8 64 > 35.0.0.0/8 64 > 38.0.0.0/8 64 > 40.0.0.0/8 64 > 51.0.0.0/8 64 > 52.0.0.0/8 64 > 54.0.0.0/8 64 > 63.0.0.0/8 64 > 99.0.0.0/8 64 > 10122.0.0.0/8 64 > 11122.0.0.0/8 64 > 114122.0.0.0/8 64 > 126.0.0.0/8 64 > 129.0.0.0/8 64 > 132.0.0.0/8 64 > 133.0.0.0/8 64 > 135.0.0.0/8 64 > 136.0.0.0/8 64 > 137.0.0.0/8 64 > 142.0.0.0/8 64 > 143.0.0.0/8 64 > 144.0.0.0/8 64 > 145.0.0.0/8 64 > 146.0.0.0/8 64 > 147.0.0.0/8 64 > 148.0.0.0/8 64 > 155.0.0.0/8 64 > 156.0.0.0/8 64 > 157.0.0.0/8 64 > 158.0.0.0/8 64 > 164.0.0.0/8 64 > 165.0.0.0/8 64 > 166.0.0.0/8 64 > 169.0.0.0/8 64 > 199.0.0.0/8 64 > 204.0.0.0/8 64 > 205.0.0.0/8 64 > 206.0.0.0/8 64 > > Total > 375232 > > -- > Otto Monnig > omon...@gmail.com > > > > > On Nov 16, 2016, at 10:52 AM, Stephen Satchell <l...@satchell.net> > wrote: > > > > I've been seeing a lot of rejections in my logs for 2323/tcp. According > > to the Storm Center, this is what the Mirai botnet scanner uses to look > > for other target devices. > > > > Is it worthwhile to report sightings to the appropriate abuse addresses? > > (That assumes there *is* an abuse address associated with the IPv4 > > address that is the source.) Would administrations receiving these > > notices do anything with them? > > > > Alternatively, is there anyone collecting this information from people > > like me to expose the IP addresses of possible infections? > > > > I am toying with the idea of setting up a honey-pot, but I'm so far > > behind with $DAYJOB that such a project will have to wait a bit. > > > > I want to be a good net citizen. I also want to make sure I'm not > > wasting my time. > > > > Today's crop: > > > >> 1.34.169.183 > >> 12.221.236.2 > >> 14.138.22.12 > >> 14.169.142.30 > >> 14.174.71.158 > >> 14.177.197.101 > >> 31.168.146.33 > >> 31.168.212.174 > >> 36.71.224.179 > >> 36.72.253.206 > >> 37.106.18.86 > >> 42.115.187.189 > >> 42.117.254.248 > >> 42.119.228.222 > >> 43.225.195.180 > >> 46.59.6.249 > >> 49.114.192.91 > >> 58.11.238.146 > >> 58.186.231.59 > >> 59.8.136.21 > >> 59.49.191.4 > >> 59.57.68.56 > >> 59.126.35.47 > >> 59.126.242.70 > >> 59.127.104.67 > >> 59.127.242.8 > >> 60.251.125.125 > >> 61.219.165.38 > >> 73.84.152.194 > >> 78.179.113.148 > >> 78.186.61.30 > >> 78.189.169.142 > >> 78.226.222.234 > >> 79.119.74.255 > >> 81.16.8.193 > >> 81.101.233.14 > >> 81.214.121.43 > >> 81.214.134.133 > >> 81.214.137.197 > >> 82.77.68.189 > >> 83.233.40.141 > >> 85.96.202.199 > >> 85.99.121.41 > >> 85.238.103.111 > >> 86.121.225.48 > >> 87.251.252.22 > >> 88.249.224.167 > >> 89.122.87.239 > >> 89.151.128.198 > >> 90.177.91.201 > >> 92.53.52.235 > >> 92.55.231.90 > >> 94.31.239.178 > >> 94.254.41.152 > >> 94.255.162.90 > >> 95.78.245.54 > >> 95.106.34.92 > >> 95.161.236.182 > >> 96.57.103.19 > >> 101.0.43.13 > >> 108.203.68.245 > >> 110.55.108.215 > >> 110.136.233.10 > >> 112.133.69.176 > >> 112.165.93.130 > >> 112.186.42.216 > >> 113.5.224.110 > >> 113.161.64.11 > >> 113.169.18.153 > >> 113.171.98.158 > >> 113.172.4.204 > >> 113.183.204.112 > >> 113.188.44.246 > >> 114.32.28.219 > >> 114.32.87.32 > >> 114.32.189.5 > >> 114.34.29.167 > >> 114.34.170.10 > >> 114.35.153.123 > >> 114.226.53.133 > >> 115.76.127.118 > >> 116.73.65.248 > >> 116.100.170.92 > >> 117.0.7.77 > >> 117.1.26.234 > >> 117.195.254.3 > >> 118.32.44.99 > >> 118.42.15.21 > >> 118.43.112.120 > >> 118.100.64.159 > >> 118.163.191.208 > >> 119.199.160.207 > >> 119.202.78.47 > >> 120.71.215.81 > >> 121.129.203.22 > >> 121.178.104.129 > >> 121.180.53.143 > >> 122.117.245.28 > >> 123.9.72.86 > >> 123.16.78.77 > >> 123.23.49.149 > >> 123.24.108.10 > >> 123.24.250.187 > >> 123.25.74.209 > >> 123.27.159.13 > >> 123.240.245.72 > >> 124.66.99.251 > >> 124.131.28.38 > >> 125.166.193.206 > >> 125.227.138.132 > >> 138.204.203.66 > >> 171.97.245.221 > >> 171.224.7.147 > >> 171.226.20.220 > >> 171.232.118.93 > >> 171.248.210.120 > >> 171.249.223.213 > >> 171.250.26.209 > >> 173.56.21.67 > >> 175.138.81.130 > >> 175.203.202.232 > >> 175.207.137.139 > >> 175.211.251.156 > >> 177.207.49.108 > >> 177.207.67.170 > >> 177.223.52.193 > >> 178.222.246.96 > >> 179.4.140.63 > >> 179.235.55.39 > >> 179.253.163.107 > >> 180.73.117.62 > >> 180.254.224.10 > >> 182.37.156.98 > >> 182.180.80.75 > >> 182.180.123.43 > >> 183.46.49.216 > >> 183.144.245.235 > >> 186.19.48.158 > >> 186.69.170.130 > >> 186.219.1.156 > >> 187.104.248.17 > >> 187.211.63.51 > >> 188.209.153.15 > >> 189.101.220.244 > >> 189.234.9.147 > >> 191.103.35.250 > >> 191.180.198.31 > >> 191.249.21.41 > >> 196.207.83.23 > >> 197.224.37.108 > >> 201.243.225.103 > >> 210.178.250.121 > >> 211.7.146.51 > >> 211.216.202.191 > >> 213.5.216.213 > >> 213.14.195.100 > >> 213.170.76.149 > >> 217.129.243.48 > >> 218.161.121.178 > >> 218.186.43.224 > >> 220.85.169.133 > >> 220.132.111.124 > >> 220.133.24.142 > >> 220.133.198.71 > >> 220.133.234.229 > >> 220.134.132.200 > >> 220.134.193.133 > >> 220.135.64.43 > >> 221.145.147.78 > >> 221.159.105.17 > >> 221.167.64.53 > >> 222.254.238.188 > >> 223.154.223.159 > > > > -- Regards, Chris Knipe
