Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Trump & Iran
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Trump & Iran

Just wanted to start off by saying this is NOT a political post, please refrain from voicing your politics.

Since Trump knocked off that Iran general, I have seen a HUGE influx of IPs banging on my firewall door. Anyone else noticing/experiencing this?

Similar subnets like this: 46.38.144.0/24
https://bgp.he.net/ip/46.38.144.0

Comments

  • tester4tester4 Member
    edited January 2020

    In all seriousness though, no - exact same amount of load as usual, all from China mainly.

  • tester4 said: China

    Same. The majority of the shitty traffic to my servers is from China more than anywhere else.

  • The AS number advertising that is in Hong Kong (Tele Asia Limited): https://bgp.he.net/AS133398

    The Iranian company who's name is listed had a different AS number that was only active from July 2019 to October 2019, which was previously routed via Tele Asia: https://bgp.he.net/AS208554

    You're most likely just being attacked by someone in China using an IP block with stale whois info.

    But I could be wrong, someone with more experience with BGP routing would know better.

    Thanked by 1Charles_In_IT
  • raindog308raindog308 Administrator, Veteran

    So you’re saying there’s something troubling about unstoppable xtremist near Eastern techs?

    Incompetent Iranian script kiddies do not make me lose sleep, even if they’re employed by Tehran.

    Thanked by 1dahartigan
  • @PainlessHosting said:
    The AS number advertising that is in Hong Kong (Tele Asia Limited): https://bgp.he.net/AS133398

    The Iranian company who's name is listed had a different AS number that was only active from July 2019 to October 2019, which was previously routed via Tele Asia: https://bgp.he.net/AS208554

    You're most likely just being attacked by someone in China using an IP block with stale whois info.

    But I could be wrong, someone with more experience with BGP routing would know better.

    Wow! Good catch! I normally block ALL China traffic, as much as I can, they're all garbage. I'll add this ASN to the block. Reminds me to keep a better eye on the ASN, not just the IP location. Thank you!

  • @tester4 said:

    In all seriousness though, no - exact same amount of load as usual, all from China mainly.

    This gave me a good LOL! Typical Apple junk. Product of those Chinese sweatshops ;)

    Yea, I block China as much as I can. I don't see why everyone doesn't do it? They'll learn eventually, they can't get away with that behavior, when no one wants to play with them. Sometimes you gotta treat them like the back yard gimp step child they want to be ;) LOL

  • @Charles_In_IT said:

    @PainlessHosting said:
    The AS number advertising that is in Hong Kong (Tele Asia Limited): https://bgp.he.net/AS133398

    The Iranian company who's name is listed had a different AS number that was only active from July 2019 to October 2019, which was previously routed via Tele Asia: https://bgp.he.net/AS208554

    You're most likely just being attacked by someone in China using an IP block with stale whois info.

    But I could be wrong, someone with more experience with BGP routing would know better.

    Wow! Good catch! I normally block ALL China traffic, as much as I can, they're all garbage. I'll add this ASN to the block. Reminds me to keep a better eye on the ASN, not just the IP location. Thank you!

    Most of the middle east routes through Asia and Russia, so if you just block all IP blocks being announced by any Asian and Russian ASNs then you should be covered (assuming you have no desire to do business there, which we do not).

    RIPE has an API you can use to automate this: https://stat.ripe.net/docs/data_api

  • raindog308raindog308 Administrator, Veteran

    Charles_In_IT said: I don't see why everyone doesn't do it?

    In my mind, we need to turn the Great Firewall of China into a firewall facing the opposite way.

    Every box with a public IP I've ever run over the last 10+ years eventually gets a bunch of Chinese IPs knocking on its door. Occasionally from other countries, but always from China.

  • jarjar Patron Provider, Top Host, Veteran
    edited January 2020

    Charles_In_IT said: Since Trump knocked off that Iran general, I have seen a HUGE influx of IPs banging on my firewall door. Anyone else noticing/experiencing this?
    Similar subnets like this: 46.38.144.0/24

    Hell yeah:

    [root@gateway] ~ # darun grep 46.38.144 /var/log/exim/mainlog | wc -l
    63323

    Diving down further:

    [root@longhorn log]# grep "46.38.144" exim/mainlog | grep "Incorrect auth" | wc -l
    27249

    Bye bye to that range:

    [root@gateway] ~ # cprun ip route add blackhole 46.38.144.0/24
    [root@gateway] ~ # darun ip route add blackhole 46.38.144.0/24

    They're not targeting customers so:
    https://clbin.com/m24dX

    No idea if this has any relation to the mentioned events, but always happy to catch someone flying under radar and swapping out IPs just enough to avoid blocks.

  • I don't know if it's related, but I did observed odd things. Lot of requests from IP without reverse, a lookup showing they are coming from middle east, china and russia. It did last for some hours.

    Among all my filters, I block IP without reverse.

  • CC_DENY RU,CN,TW,SG,IL,MX,BR,AG,IN,SG,SC :-o That leaves USA as the biggest culprits in hack attempts/port scanning.

  • @AlwaysSkint said:
    CC_DENY RU,CN,TW,SG,IL,MX,BR,AG,IN,SG,SC :-o That leaves USA as the biggest culprits in hack attempts/port scanning.

    It's so terrible here in Singapore that you've had to block us twice

  • @AlwaysSkint said:
    CC_DENY RU,CN,TW,SG,IL,MX,BR,AG,IN,SG,SC :-o That leaves USA as the biggest culprits in hack attempts/port scanning.

    Why not add HK also?

  • Does blocking China to access a server also means visitors from Hong Kong will also be blocked?

  • AlwaysSkintAlwaysSkint Member
    edited January 2020

    Oops, my usual typo - yes HK, in place of one SG ;)
    Note: I have an exception on one USA server, 'cos they have a client in MX.

    P.S. Singnomore ain't such a bad place, having lived there as a kid, for a few years. ;)
    Anyway, it was just an example of what I usually have in place: Oz servers could have FR,DE etc. added to the list. Using an external source, I also block all AamazonWS. Additionally, this can be problematic if a particular GeoIP isn't up to date (hello, Virmach).

  • pkrpkr Member

    @Charles_In_IT said:
    Just wanted to start off by saying this is NOT a political post, please refrain from voicing your politics.

    Since Trump knocked off that Iran general, I have seen a HUGE influx of IPs banging on my firewall door. Anyone else noticing/experiencing this?

    Similar subnets like this: 46.38.144.0/24
    https://bgp.he.net/ip/46.38.144.0

    My VPS died once because Iran bombed it. They screwed up my BW usage in just 2 days.
    Why are they attacking servers in Germany?

Sign In or Register to comment.