cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Ongoing DOS attack from Iran

Monsoft
Dabbler
Posts: 24
Thanks: 4
Registered: ‎29-09-2019

Ongoing DOS attack from Iran

‎15-09-2021 10:03 AM

Since yesterday morning I'm experiencing ongoing DOS/Brute-Force attack lunched from Iranian IP 31.130.184.212 against my smtp server (I have static IP).  I'm not the only one person who is targeted by this attack https://www.abuseipdb.com/check/31.130.184.212

Of course fail2ban blocked this IP and I moved this blocking to my router's firewall but looks like attacker running some script in loop which doesn't check response even if I'm specifically dropping incoming traffic.

Writing email to provider is pointless as in countries like Iran or China they never responding or acting on it.

Now question is: does Plusnet NOC/SOC is able to react on this kind of attacks ?  

It's not massive flood of traffic (around 42 connections per minute) but still bringing unwanted traffic to internet connection.

 

09:59:00.131270 IP 31.130.184.212.20412 > xyz.plus.com.25: Flags [S], seq 1759048769, win 29200, options [mss 1460,sackOK,TS val 105182304 ecr 0,nop,wscale 10], length 0
09:59:01.581052 IP 31.130.184.212.12758 > xyz.plus.com.25: Flags [S], seq 2161857530, win 29200, options [mss 1460,sackOK,TS val 105183754 ecr 0,nop,wscale 10], length 0
09:59:02.586174 IP 31.130.184.212.12758 > xyz.plus.com.25: Flags [S], seq 2161857530, win 29200, options [mss 1460,sackOK,TS val 105184757 ecr 0,nop,wscale 10], length 0
09:59:04.587528 IP 31.130.184.212.12758 > xyz.plus.com.25: Flags [S], seq 2161857530, win 29200, options [mss 1460,sackOK,TS val 105186760 ecr 0,nop,wscale 10], length 0
09:59:05.916015 IP 31.130.184.212.5070 > xyz.plus.com.25: Flags [S], seq 2397665211, win 29200, options [mss 1460,sackOK,TS val 105188086 ecr 0,nop,wscale 10], length 0
09:59:06.916354 IP 31.130.184.212.5070 > xyz.plus.com.25: Flags [S], seq 2397665211, win 29200, options [mss 1460,sackOK,TS val 105189088 ecr 0,nop,wscale 10], length 0
09:59:08.918840 IP 31.130.184.212.5070 > xyz.plus.com.25: Flags [S], seq 2397665211, win 29200, options [mss 1460,sackOK,TS val 105191092 ecr 0,nop,wscale 10], length 0
09:59:10.025226 IP 31.130.184.212.61926 > xyz.plus.com.25: Flags [S], seq 1179237925, win 29200, options [mss 1460,sackOK,TS val 105192199 ecr 0,nop,wscale 10], length 0
09:59:11.026244 IP 31.130.184.212.61926 > xyz.plus.com.25: Flags [S], seq 1179237925, win 29200, options [mss 1460,sackOK,TS val 105193201 ecr 0,nop,wscale 10], length 0
09:59:13.033311 IP 31.130.184.212.61926 > xyz.plus.com.25: Flags [S], seq 1179237925, win 29200, options [mss 1460,sackOK,TS val 105195208 ecr 0,nop,wscale 10], length 0
09:59:14.178819 IP 31.130.184.212.54306 > xyz.plus.com.25: Flags [S], seq 2295214912, win 29200, options [mss 1460,sackOK,TS val 105196350 ecr 0,nop,wscale 10], length 0
09:59:15.180074 IP 31.130.184.212.54306 > xyz.plus.com.25: Flags [S], seq 2295214912, win 29200, options [mss 1460,sackOK,TS val 105197352 ecr 0,nop,wscale 10], length 0
09:59:17.182134 IP 31.130.184.212.54306 > xyz.plus.com.25: Flags [S], seq 2295214912, win 29200, options [mss 1460,sackOK,TS val 105199357 ecr 0,nop,wscale 10], length 0
09:59:18.537651 IP 31.130.184.212.46624 > xyz.plus.com.25: Flags [S], seq 1909957441, win 29200, options [mss 1460,sackOK,TS val 105200711 ecr 0,nop,wscale 10], length 0
09:59:19.538220 IP 31.130.184.212.46624 > xyz.plus.com.25: Flags [S], seq 1909957441, win 29200, options [mss 1460,sackOK,TS val 105201713 ecr 0,nop,wscale 10], length 0
09:59:21.545366 IP 31.130.184.212.46624 > xyz.plus.com.25: Flags [S], seq 1909957441, win 29200, options [mss 1460,sackOK,TS val 105203720 ecr 0,nop,wscale 10], length 0
09:59:22.899012 IP 31.130.184.212.38966 > xyz.plus.com.25: Flags [S], seq 2644661936, win 29200, options [mss 1460,sackOK,TS val 105205072 ecr 0,nop,wscale 10], length 0
09:59:23.902775 IP 31.130.184.212.38966 > xyz.plus.com.25: Flags [S], seq 2644661936, win 29200, options [mss 1460,sackOK,TS val 105206074 ecr 0,nop,wscale 10], length 0
09:59:25.909606 IP 31.130.184.212.38966 > xyz.plus.com.25: Flags [S], seq 2644661936, win 29200, options [mss 1460,sackOK,TS val 105208080 ecr 0,nop,wscale 10], length 0
09:59:27.020314 IP 31.130.184.212.31310 > xyz.plus.com.25: Flags [S], seq 1540021690, win 29200, options [mss 1460,sackOK,TS val 105209192 ecr 0,nop,wscale 10], length 0
09:59:28.020188 IP 31.130.184.212.31310 > xyz.plus.com.25: Flags [S], seq 1540021690, win 29200, options [mss 1460,sackOK,TS val 105210194 ecr 0,nop,wscale 10], length 0
09:59:30.026550 IP 31.130.184.212.31310 > xyz.plus.com.25: Flags [S], seq 1540021690, win 29200, options [mss 1460,sackOK,TS val 105212200 ecr 0,nop,wscale 10], length 0
09:59:31.285418 IP 31.130.184.212.23640 > xyz.plus.com.25: Flags [S], seq 1475033534, win 29200, options [mss 1460,sackOK,TS val 105213458 ecr 0,nop,wscale 10], length 0
09:59:32.286407 IP 31.130.184.212.23640 > xyz.plus.com.25: Flags [S], seq 1475033534, win 29200, options [mss 1460,sackOK,TS val 105214460 ecr 0,nop,wscale 10], length 0
09:59:34.292119 IP 31.130.184.212.23640 > xyz.plus.com.25: Flags [S], seq 1475033534, win 29200, options [mss 1460,sackOK,TS val 105216464 ecr 0,nop,wscale 10], length 0
09:59:35.882036 IP 31.130.184.212.15960 > xyz.plus.com.25: Flags [S], seq 3569014455, win 29200, options [mss 1460,sackOK,TS val 105218055 ecr 0,nop,wscale 10], length 0
09:59:36.883784 IP 31.130.184.212.15960 > xyz.plus.com.25: Flags [S], seq 3569014455, win 29200, options [mss 1460,sackOK,TS val 105219057 ecr 0,nop,wscale 10], length 0
09:59:38.891272 IP 31.130.184.212.15960 > xyz.plus.com.25: Flags [S], seq 3569014455, win 29200, options [mss 1460,sackOK,TS val 105221064 ecr 0,nop,wscale 10], length 0
09:59:40.067320 IP 31.130.184.212.8300 > xyz.plus.com.25: Flags [S], seq 479345639, win 29200, options [mss 1460,sackOK,TS val 105222238 ecr 0,nop,wscale 10], length 0
09:59:41.066942 IP 31.130.184.212.8300 > xyz.plus.com.25: Flags [S], seq 479345639, win 29200, options [mss 1460,sackOK,TS val 105223240 ecr 0,nop,wscale 10], length 0
09:59:43.069036 IP 31.130.184.212.8300 > xyz.plus.com.25: Flags [S], seq 479345639, win 29200, options [mss 1460,sackOK,TS val 105225244 ecr 0,nop,wscale 10], length 0
09:59:44.316678 IP 31.130.184.212.65130 > xyz.plus.com.25: Flags [S], seq 2057365693, win 29200, options [mss 1460,sackOK,TS val 105226491 ecr 0,nop,wscale 10], length 0
09:59:45.317048 IP 31.130.184.212.65130 > xyz.plus.com.25: Flags [S], seq 2057365693, win 29200, options [mss 1460,sackOK,TS val 105227492 ecr 0,nop,wscale 10], length 0
09:59:47.322705 IP 31.130.184.212.65130 > xyz.plus.com.25: Flags [S], seq 2057365693, win 29200, options [mss 1460,sackOK,TS val 105229496 ecr 0,nop,wscale 10], length 0
09:59:48.902652 IP 31.130.184.212.57472 > xyz.plus.com.25: Flags [S], seq 3052536268, win 29200, options [mss 1460,sackOK,TS val 105231077 ecr 0,nop,wscale 10], length 0
09:59:49.905247 IP 31.130.184.212.57472 > xyz.plus.com.25: Flags [S], seq 3052536268, win 29200, options [mss 1460,sackOK,TS val 105232080 ecr 0,nop,wscale 10], length 0
09:59:51.909787 IP 31.130.184.212.57472 > xyz.plus.com.25: Flags [S], seq 3052536268, win 29200, options [mss 1460,sackOK,TS val 105234084 ecr 0,nop,wscale 10], length 0
09:59:53.069672 IP 31.130.184.212.49828 > xyz.plus.com.25: Flags [S], seq 4179197362, win 29200, options [mss 1460,sackOK,TS val 105235244 ecr 0,nop,wscale 10], length 0
09:59:54.071154 IP 31.130.184.212.49828 > xyz.plus.com.25: Flags [S], seq 4179197362, win 29200, options [mss 1460,sackOK,TS val 105236246 ecr 0,nop,wscale 10], length 0
09:59:56.075674 IP 31.130.184.212.49828 > xyz.plus.com.25: Flags [S], seq 4179197362, win 29200, options [mss 1460,sackOK,TS val 105238248 ecr 0,nop,wscale 10], length 0
09:59:57.120618 IP 31.130.184.212.42130 > xyz.plus.com.25: Flags [S], seq 3530178217, win 29200, options [mss 1460,sackOK,TS val 105239293 ecr 0,nop,wscale 10], length 0
09:59:58.125054 IP 31.130.184.212.42130 > xyz.plus.com.25: Flags [S], seq 3530178217, win 29200, options [mss 1460,sackOK,TS val 105240296 ecr 0,nop,wscale 10], length 0

Message 1 of 6
(517 Views)
0 Thanks
5 REPLIES 5
Champnet
Aspiring Hero
Posts: 2,601
Thanks: 983
Fixes: 12
Registered: ‎25-07-2007

Re: Ongoing DOS attack from Iran

‎15-09-2021 1:11 PM

If your system's secure, sit tight, eventually they'll give up and move on to someone else..........

Message 2 of 6
(482 Views)
0 Thanks
Monsoft
Dabbler
Posts: 24
Thanks: 4
Registered: ‎29-09-2019

Re: Ongoing DOS attack from Iran

‎15-09-2021 2:04 PM

I manage and design system for living so I'm not scare. Just was interested if Plusnet SOC/NOC have some IDS/IPS system which can used to prevent this kind of attacks.

Message 3 of 6
(467 Views)
0 Thanks
Champnet
Aspiring Hero
Posts: 2,601
Thanks: 983
Fixes: 12
Registered: ‎25-07-2007

Re: Ongoing DOS attack from Iran

‎15-09-2021 2:15 PM

ISPs blocking IP addresses might be a Government decision, not for mere mortals like us.

As you know, we can only block traffic at the point of entry to our building.

Message 4 of 6
(463 Views)
0 Thanks
Monsoft
Dabbler
Posts: 24
Thanks: 4
Registered: ‎29-09-2019

Re: Ongoing DOS attack from Iran

‎16-09-2021 9:14 AM

"ISPs blocking IP addresses might be a Government decision, not for mere mortals like us."

 

Nah, I use to work for ISP for around 7 years and we use to have bunch of IPS'es which were analysing traffic and blocked attacks.

I don't mind using my own solution to keep my network safe 🙂

Message 5 of 6
(412 Views)
0 Thanks
Champnet
Aspiring Hero
Posts: 2,601
Thanks: 983
Fixes: 12
Registered: ‎25-07-2007

Re: Ongoing DOS attack from Iran

‎16-09-2021 9:32 AM

@Monsoft wrote:

Nah, I use to work for ISP for around 7 years and we use to have bunch of IPS'es which were analysing traffic and blocked attacks.

Interesting, I've ran many installations including three Private Banking systems and I've never been able to get any ISP to block incoming traffic. Always given the same excuse............... 

Message 6 of 6
(407 Views)
0 Thanks