You probably don’t need VPS customers connecting to your boxes
Every minute I see dozens of scans, scrapes and DNS amplification attacks from providers offering cheap VPSs. I rarely see legitimate ingress traffic:
Dec 13 14:45:41,1770008933,igb0,IGB0_WAN,block,4,6,TCP-S,178.62.237.183,81.187.86.93,61000,22,out,GB,pfB_ASN_clouds_v4,81.187.0.0/16,GB_v4,mx2.<redacted>.net,Unknown,null,+
178.62.237.183 is controlled by a botnet using DigitalOcean, attempting to SSH into my mail server mx2.arcza.net
on port 22. The customer is a small UK taxi comparison business (viewable on http://178.62.237.183), who probably has no idea what any of this means and didn’t implement fail2ban
on their VPS, got hacked, and someone installed a botnet worker to attempt to hack more servers over SSH.
I’ve also seen examples from another DigitalOcean customer called Stretchoid scanning my network for things like LDAP access. Port scans are not new, and not malicious on their own. But you gain nothing allowing scrapers, DNS amplification attempts and port scanners accessing your network, and of course actual botnets. I encourage you to block cheap VPS providers too.
AWS, Azure and GCP
The “hyperscalers” tend to be more expensive and less ripe for abuse. I do not see the same volume of abuse that I get from the less-sophisticated cloud providers.
Egress?
I don’t block traffic going to any VPS cloud from my network. I know what software is running within my perimeter, so can tackle issues at application level rather than network level. It also sounds like a troubleshooting nightmare for the future.
Disclaimer
I am not saying the named networks are malicious organisations. Abuse comes from all over the Internet, including AWS, GCP and Azure, but I receive so many attacks from these networks I cannot possibly fill out enough abuse forms. Examples:
Contabo: DNS amplification pretending to be AWS:
25/11/2023 13:49:48 09F4 PACKET 00000185056A3D50 UDP Rcv 194.163.153.147 a511 Q [0001 D NOERROR] CNAME (17)klimentandguladze(5)10690(2)s3(9)amazonaws(3)com(0)
25/11/2023 13:49:52 09F4 PACKET 00000185058F5D40 UDP Rcv 194.163.153.147 ef9e Q [0001 D NOERROR] CNAME (5)10701(11)lauragstein(2)s3(9)amazonaws(3)com(0)
25/11/2023 13:49:54 09F4 PACKET 000001850828A4A0 UDP Rcv 194.163.153.147 4466 Q [0001 D NOERROR] CNAME (24)dharanisupportprimer3236(2)s3(9)amazonaws(3)com(0)
25/11/2023 13:49:55 09F4 PACKET 00000185056A3D50 UDP Rcv 194.163.153.147 050d Q [0001 D NOERROR] CNAME (16)gearfactor_10709(2)s3(9)amazonaws(3)com(0)
25/11/2023 13:49:55 09F4 PACKET 000001850828A4A0 UDP Rcv 194.163.153.147 f2b6 Q [0001 D NOERROR] CNAME (31)kingmcmshelp-schema-org-mapping(2)s3(9)amazonaws(3)com(0)
25/11/2023 13:49:56 09F4 PACKET 00000185056A3D50 UDP Rcv 194.163.153.147 7209 Q [0001 D NOERROR] CNAME (16)azure70532xedule(2)s3(9)amazonaws(3)com(0)
25/11/2023 13:49:56 09F4 PACKET 000001850828A4A0 UDP Rcv 194.163.153.147 66d8 Q [0001 D NOERROR] CNAME (12)p9p-suits301(2)s3(9)amazonaws(3)com(0)
25/11/2023 13:49:57 09F4 PACKET 00000185056A3D50 UDP Rcv 194.163.153.147 9068 Q [0001 D NOERROR] CNAME (24)bashstyle-asiafoundation(2)s3(9)amazonaws(3)com(0)
Hetzner: DNS amp again
25/11/2023 13:49:39 09F4 PACKET 00000185056A3D50 UDP Rcv 95.217.207.120 ddf4 Q [0001 D NOERROR] A (11)yuxiangqian(5)x24hr(3)com(0)
25/11/2023 13:49:50 09F4 PACKET 00000185058F5D40 UDP Rcv 95.217.207.120 08e6 Q [0001 D NOERROR] A (6)hbfast(5)dns04(3)com(0)
25/11/2023 13:49:53 09F4 PACKET 00000185058F5D40 UDP Rcv 95.217.207.120 2c1e Q [0001 D NOERROR] A (5)tocea(7)mynetav(3)net(0)
25/11/2023 13:49:53 09F4 PACKET 00000185058F5D40 UDP Rcv 95.217.207.120 afdf Q [0001 D NOERROR] A (12)willsmythe__(6)fartit(3)com(0)
25/11/2023 13:50:02 09F4 PACKET 00000185056A3D50 UDP Rcv 95.217.207.120 72c4 Q [0001 D NOERROR] A (24)dataintegrationpracticum(4)qpoe(3)com(0)
25/11/2023 13:50:07 09F8 PACKET 00000185058F5D40 UDP Rcv 95.217.207.120 7eae Q [0001 D NOERROR] A (9)rishav311(4)zzux(3)com(0)
25/11/2023 13:50:11 09F4 PACKET 000001850828A4A0 UDP Rcv 95.217.207.120 a1c1 Q [0001 D NOERROR] A (5)oak86(8)proxydns(3)com(0)
25/11/2023 13:50:14 09F4 PACKET 000001850636E4A0 UDP Rcv 95.217.207.120 0c03 Q [0001 D NOERROR] A (16)creativeworldbau(4)ddns(4)mobi(0)
OVH: also DNS… why would OVH contact my servers for a Google lookup?
25/11/2023 13:30:34 09F8 PACKET 0000018505FF3560 UDP Rcv 51.222.211.179 a4d0 Q [0001 D NOERROR] TXT (3)o-o(6)myaddr(1)l(6)google(3)com(0)
25/11/2023 13:31:44 09F4 PACKET 00000185052F91B0 UDP Rcv 51.222.211.179 8f08 Q [0001 D NOERROR] TXT (3)o-o(6)myaddr(1)l(6)google(3)com(0)
25/11/2023 13:32:53 09F4 PACKET 0000018505FF3560 UDP Rcv 51.222.211.179 d4e9 Q [0001 D NOERROR] TXT (3)o-o(6)myaddr(1)l(6)google(3)com(0)
25/11/2023 13:33:49 09F4 PACKET 000001850828A4A0 UDP Rcv 51.222.211.179 3933 Q [0001 D NOERROR] TXT (3)o-o(6)myaddr(1)l(6)google(3)com(0)
25/11/2023 13:40:23 09F8 PACKET 0000018507204D10 UDP Rcv 51.222.211.179 5b30 Q [0001 D NOERROR] TXT (3)o-o(6)myaddr(1)l(6)google(3)com(0)
25/11/2023 13:41:28 09F8 PACKET 00000185057DA8D0 UDP Rcv 51.222.211.179 fb7b Q [0001 D NOERROR] TXT (3)o-o(6)myaddr(1)l(6)google(3)com(0)
25/11/2023 13:43:18 09F4 PACKET 00000185057DA8D0 UDP Rcv 51.222.211.179 20aa Q [0001 D NOERROR] TXT (3)o-o(6)myaddr(1)l(6)google(3)com(0)
25/11/2023 13:44:00 09F4 PACKET 00000185058F5D40 UDP Rcv 51.222.211.179 58a5 Q [0001 D NOERROR] TXT (3)o-o(6)myaddr(1)l(6)google(3)com(0)
DigitalOcean: botnet port 22 ssh example above to my secondary mail server.
Thanks
HackerTarget made it easy for me to get the CIDR blocks for each cloud.
There are bigger fish to fry…
Agreed. I also geo-block regions I have no expected legitimate traffic from. 22k blocked states from China for example in the last 24 hours. I do not have 22k blog readers from China sadly. Paying for threat lists is a better and more refined way.
I work for <cheap cloud>. We aren’t ‘cheap’!
- Contabo: “Stop choosing between affordability and performance!”
https://contabo.com/en/ - DigitalOcean: “Whatever your vision—a SaaS app, an AI/ML business, a website, an eCommerce store—build it here using DigitalOcean’s simple, cost-effective cloud hosting services.”
https://www.digitalocean.com/ - OVH: “LAST CHANCE Get our deals while they last! Up to 55% off”
https://www.ovhcloud.com/en-gb/ - Hetzner: “Pure power at impossibly low prices“
https://www.hetzner.com/
Contrast to AWS where pricing is not a core feature of their marketing.
pfSense
If you use pfSense firewalls, pfBlocker NG can block entire ASNs automatically and you might not need these rules.