[apops] [Fwd: Very peculiar Telnet probing (possibly spoofed?)]

  • To: apops at apops dot net
  • Subject: [apops] [Fwd: Very peculiar Telnet probing (possibly spoofed?)]
  • From: Suresh Ramasubramanian <suresh at outblaze dot com>
  • Date: Thu, 09 Sep 2004 11:27:15 +0530
  • List-archive: <http://www.apnic.net/mailing-lists/apops>
  • List-help: <mailto:apops-request@apops.net?subject=help>
  • List-id: Asia Pacific Operators Forum <apops.apops.net>
  • List-post: <mailto:apops@apops.net>
  • List-subscribe: <http://mailman.apnic.net/mailman/listinfo/apops>,<mailto:apops-request@apops.net?subject=subscribe>
  • List-unsubscribe: <http://mailman.apnic.net/mailman/listinfo/apops>,<mailto:apops-request@apops.net?subject=unsubscribe>
  • Organization: Outblaze - http://www.outblaze.com
  • User-agent: Mozilla Thunderbird 0.8 (X11/20040908)
    • Strange post on nanog... if at least for the fact that telnetd isnt a very common service these days, so I for one see far fewer telnet probes than I used to see.

      suresh


      -------- Original Message --------
      Subject: Very peculiar Telnet probing (possibly spoofed?)
      Date: Thu, 09 Sep 2004 01:48:40 -0400
      From: Jeff Kell <jeff-kell at utc dot edu>
      To: Suresh Ramasubramanian <suresh at outblaze dot com>
      CC: Michael.Dillon at radianz dot com, nanog at merit dot edu, General DShield Discussion List <list at lists dot dshield dot org>
      References: <OF18597424.F55C5751-ON80256F09.00469308-80256F09.0046C4E2 at radianz dot com> <413F78B0.4050302 at outblaze dot com>


      I have been rather reluctant to post this as I had hoped it was just a
      fluke. But this has been going on for nearly two weeks. We are getting
      banged by telnet probes from SE Asian sites... over 1000 different ones
      in all attacking the same address range. I suspect but cannot prove
      that the packets are being spoofed as we are dropping (not resetting)
      the probes, yet they continue. There are repeated probes from the same
      IP address for about 15-20 minutes or more, then it moves along, but the
      resulting router logs blocking them looks initially random (from SE Asia
      sites). Is someone out there to make a bad statement for APNIC by
      spoofing the origins, or is this some co-ordinated attack/probe.

      The high-order octed of the attackers is consistently within one of
      these /8 netblocks (though not evenly spread, and cluster around certain
      address blocks as shown). I haven't heard of anything like this (other
      than recent SSH brute force, but this is telnet).

      I'm getting attacks from:

      159.226.x.x
      202.x.x.x
      203.x.x.x
      210.x.x.x
      211.x.x.x
      218.x.x.x
      219.x.x.x
      220.x.x.x
      221.x.x.x
      222.x.x.x
      61.x.x.x

      Again, thousands of probes, about 10-20/sec when they're on a roll.
      These are attacks on a /18 subnet with only a small subnet (our secured
      servers) that is in danger (we block/drop telnet inbound to dynamic NAT
      but accept for static server translations)..

      It is almost as if someone were spoofing the asian addresses to
      'simulate' an Asian attack, but what with the big bot-nets, I suppose
      that's a possibility too, but all these addresses (that I looked at)
      were SE Asian in origin.

      After passing the 1000 scanner benchmarkk today, with some manual
      aggregation of obvious problem areas, it still continues.

      Anyone else seeing this? We're getting this more often than the SSHD scans.

      Jeff Kell
      Systems/Network Security