Larry Kiterling
asked on
Attack? Scans from unknown IP on router
We have several 'attack events' coming in from IP addresses we are not familiar with and wanted to know what the protocol is. It doesn't look like these attacks are happening more than one occasion.
#/IP address/Events
1/124.40.246.86/14
2/62.210.251.48 62-210-251-48.rev.poneytel ecom.eu/12
3/182.72.26.54 nsg-static-054.26.72.182.a irtel.in/9
4/208.87.234.202 webdefence-pool-02.cluster -h.webs
ense.net/2
5/173.252.90.2 edge-liverail-shv-13-atn1. facebook.c om/1
#/IP address/Events
1/124.40.246.86/14
2/62.210.251.48 62-210-251-48.rev.poneytel
3/182.72.26.54 nsg-static-054.26.72.182.a
4/208.87.234.202 webdefence-pool-02.cluster
ense.net/2
5/173.252.90.2 edge-liverail-shv-13-atn1.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
bosshog!
likely these IP is compromised or taken over by some sort of bot master to direct and launch "attack" on their target. taking the snapshot of a single ip from each range, you can see that at least three of them fall into SPAM or Block blacklist (look out for the "cross" in each). Better to check the specific log in your FW and IPS to see if there is any signature or exploit attempts.
For the protocol, it should be based on the port though the source may not adhere it. The common DDoS protocol using HTTP, SSDp, NTP to amplify the effects to bring target down faster are gaining traction see the US CERT advisory (https://www.us-cert.gov/ncas/alerts/TA14-017A) - check out the mitigation too though you may not trace back to origin source (can be proxy fronted by ISP)
For 124.40.246.86 (Bangalore Broadband Network Pvt Ltd)
http://www.tcpiputils.com/browse/ip-address/124.40.246.86
For 62.210.251.48 (in France)
http://www.tcpiputils.com/browse/ip-address/62.210.251.48
For 182.72.26.54 (BHARTI Airtel Ltd.)
http://www.tcpiputils.com/browse/ip-address/182.72.26.54
For 208.87.234.202 (Websense Hosted R&D Ltd.)
http://www.tcpiputils.com/browse/ip-address/208.87.234.202
For 173.252.90.2 (Facebook, Inc.)
http://www.tcpiputils.com/browse/ip-address/173.252.90.2
For the protocol, it should be based on the port though the source may not adhere it. The common DDoS protocol using HTTP, SSDp, NTP to amplify the effects to bring target down faster are gaining traction see the US CERT advisory (https://www.us-cert.gov/ncas/alerts/TA14-017A) - check out the mitigation too though you may not trace back to origin source (can be proxy fronted by ISP)
For 124.40.246.86 (Bangalore Broadband Network Pvt Ltd)
http://www.tcpiputils.com/browse/ip-address/124.40.246.86
For 62.210.251.48 (in France)
http://www.tcpiputils.com/browse/ip-address/62.210.251.48
For 182.72.26.54 (BHARTI Airtel Ltd.)
http://www.tcpiputils.com/browse/ip-address/182.72.26.54
For 208.87.234.202 (Websense Hosted R&D Ltd.)
http://www.tcpiputils.com/browse/ip-address/208.87.234.202
For 173.252.90.2 (Facebook, Inc.)
http://www.tcpiputils.com/browse/ip-address/173.252.90.2
You're welcome! Enjoy your weekend as well!
-J-
-J-
ASKER