@fluffernutter said:
Dropping all traffic from ColoCrossing, DediPath, OVH, M247, QuadraNet, China, India, and Hetzner (as well as any provider offering free trials or free credit) basically reduces abuse to 0. Listed the biggest offenders but there's definitely more. ColoCrossing and DediPath are where most of the layer 7 DDoS originates from, and I've gotten some massive floods from DO/Linode.
@beanman109 said:
Was China until I used Crowdsec to ban all 110 million IP's from Chinanet on all my servers.
Now it's honestly a fairly even mix most of the time.
@AuroraZero said:
Only problem I have with stereotyping this is how do you know when the database you are using to correlate information is updated?
What I mean is how do you know the geolocation information is accurate unless you do a trace yourselves?
Remember I can "claim" I own the moon does not make it true.
Sorry just sick of all the misinformation running around on everything in this age.
You can never be 100% certain of course, but when it comes to statistics and patterns it doesn't really matter.
If I have 1 million attacks and 90% of them seem to originate from Asia, chances are that a major part of all attacks originate from Asia. I do not really care if 1% of them are spoofed or if 10% are actually from the US but use a vpn from Asia. For me, that is not the important part of the data.
Also, the geolocation data these days is usually pretty good. At least good enough to plot million of attacks and get a pretty good overview.
I don't really know what you mean by your "claim" statement. If China Telecom owns an ip range and they say it is located in China, then I would not call it a bold claim to assume that an ip in that range is in China.
If I can use data that is 99% correct to block out 99% of all attacks, that's fine by me.
@fluffernutter said:
Dropping all traffic from ColoCrossing, DediPath, OVH, M247, QuadraNet, China, India, and Hetzner (as well as any provider offering free trials or free credit) basically reduces abuse to 0. Listed the biggest offenders but there's definitely more. ColoCrossing and DediPath are where most of the layer 7 DDoS originates from, and I've gotten some massive floods from DO/Linode.
Personally recieved a large L7 from DediPath network, reported to abuse and nothing was done about it, let alone was my report acknowledged.
@fluffernutter said:
Dropping all traffic from ColoCrossing, DediPath, OVH, M247, QuadraNet, China, India, and Hetzner (as well as any provider offering free trials or free credit) basically reduces abuse to 0. Listed the biggest offenders but there's definitely more. ColoCrossing and DediPath are where most of the layer 7 DDoS originates from, and I've gotten some massive floods from DO/Linode.
Personally recieved a large L7 from DediPath network, reported to abuse and nothing was done about it, let alone was my report acknowledged.
Yeah @Ernie says abuse is handled but with how blacklisted their ASN is I sort of doubt that, haven't ever even bothered to send abuse reports over. Good to see they handle them as expected.
@emg said:
What tools are people using these days to get this information? Are they analyzing log files offline or using a realtime tool of some kind?
Both are viable methods to get the info, though a logging platform is way more fun to look at.
I have a honeypot running on one of my hosthatch servers that is designed to collect this information for this type of analysis. https://github.com/telekom-security/tpotce Here's some dashboard screenshots of data from the past 30 days with well over 4million hits.
Top attacking countries (Netherlands takes the lead this month)
Countries and the ports they attack (VNC always a popular target)
@emg said: Second: -> What tools are people using these days to get this information? Are they analyzing log files offline or using a realtime tool of some kind?
Crowdsec handles it all for me, I just log into the dashboard every now & then and look at the stats when I'm bored.
@emg said:
What tools are people using these days to get this information? Are they analyzing log files offline or using a realtime tool of some kind?
Everything logs to a Graylog and from there I use the dashboards available in Graylog or use Grafana to visualize the data. Both Graylog and Grafana have pretty good integration with geolocation data so that's not even an issue, it just works.
Comments
Only problem I have with stereotyping this is how do you know when the database you are using to correlate information is updated?
What I mean is how do you know the geolocation information is accurate unless you do a trace yourselves?
Remember I can "claim" I own the moon does not make it true.
Sorry just sick of all the misinformation running around on everything in this age.
Sure, i also block googlecloud, aws and azure.
how can i block 110 mio. ips from china?
I actually wrote a simple guide on how to do this the other day!
If you have Crowdsec & you're interested you can find it here - https://lexnet.cc/other/block-all-chinanet-ip-crowdsec/
You can never be 100% certain of course, but when it comes to statistics and patterns it doesn't really matter.
If I have 1 million attacks and 90% of them seem to originate from Asia, chances are that a major part of all attacks originate from Asia. I do not really care if 1% of them are spoofed or if 10% are actually from the US but use a vpn from Asia. For me, that is not the important part of the data.
Also, the geolocation data these days is usually pretty good. At least good enough to plot million of attacks and get a pretty good overview.
I don't really know what you mean by your "claim" statement. If China Telecom owns an ip range and they say it is located in China, then I would not call it a bold claim to assume that an ip in that range is in China.
If I can use data that is 99% correct to block out 99% of all attacks, that's fine by me.
First: I find this real world data very interesting. Thanks to everyone for sharing their experiences.
Second: -> What tools are people using these days to get this information? Are they analyzing log files offline or using a realtime tool of some kind?
nobody wants to hack into my idling vps
Russia, Russia, Russia, France?
Don't ask, and no, i don't run java
Personally recieved a large L7 from DediPath network, reported to abuse and nothing was done about it, let alone was my report acknowledged.
Agreed! I really appreciate people sharing their experiences! Very interesting info!
Yeah @Ernie says abuse is handled but with how blacklisted their ASN is I sort of doubt that, haven't ever even bothered to send abuse reports over. Good to see they handle them as expected.
Both are viable methods to get the info, though a logging platform is way more fun to look at.
I have a honeypot running on one of my hosthatch servers that is designed to collect this information for this type of analysis. https://github.com/telekom-security/tpotce Here's some dashboard screenshots of data from the past 30 days with well over 4million hits.
Top attacking countries (Netherlands takes the lead this month)

Countries and the ports they attack (VNC always a popular target)

Crowdsec handles it all for me, I just log into the dashboard every now & then and look at the stats when I'm bored.
Everything logs to a Graylog and from there I use the dashboards available in Graylog or use Grafana to visualize the data. Both Graylog and Grafana have pretty good integration with geolocation data so that's not even an issue, it just works.
Russia, China, Iran
On Jan 29, in terms of unique source IP addresses:
3,944 IP addresses from Digital Ocean were detected.
I would guess most of them are compromised systems like malware-infected computers.