Network Attackers: Where In The World - Scott Brown Consulting

Let’s have a look at who’s been trying to break into SSH service on my development server recently, and where in the world they’re attacking from. Since I implemented fail2ban to trap out these attempted dictionary attacks, it’s logged the network addresses of all the culprits. Here’s who got caught in recent activity:

2009-07-06 19:41:21,425 fail2ban.actions: WARNING [ssh] Ban 83.15.85.210
2009-07-08 13:48:43,565 fail2ban.actions: WARNING [ssh] Ban 87.229.101.170
2009-07-10 10:59:36,625 fail2ban.actions: WARNING [ssh] Ban 211.155.227.18
2009-07-14 00:12:49,866 fail2ban.actions: WARNING [ssh] Ban 202.109.242.18
2009-07-16 05:14:16,456 fail2ban.actions: WARNING [ssh] Ban 89.207.64.170
2009-07-17 01:34:32,566 fail2ban.actions: WARNING [ssh] Ban 91.83.48.226
2009-07-17 06:47:01,616 fail2ban.actions: WARNING [ssh] Ban 202.96.199.150
2009-07-21 04:22:42,195 fail2ban.actions: WARNING [ssh] Ban 80.190.191.124
2009-07-21 06:33:19,415 fail2ban.actions: WARNING [ssh] Ban 200.52.194.36
2009-07-25 00:26:18,623 fail2ban.actions: WARNING [ssh] Ban 222.68.194.69
2009-07-26 00:20:16,743 fail2ban.actions: WARNING [ssh] Ban 222.68.194.69
2009-07-27 22:43:14,553 fail2ban.actions: WARNING [ssh] Ban 80.88.248.30
2009-07-28 13:54:37,653 fail2ban.actions: WARNING [ssh] Ban 72.44.174.162
2009-07-29 01:52:28,733 fail2ban.actions: WARNING [ssh] Ban 218.16.224.203
2009-07-29 19:41:58,923 fail2ban.actions: WARNING [ssh] Ban 125.208.3.9
2009-07-30 13:39:40,597 fail2ban.actions: WARNING [ssh] Ban 94.89.83.58
2009-08-01 09:57:49,727 fail2ban.actions: WARNING [ssh] Ban 80.86.201.29
2009-08-02 06:38:09,777 fail2ban.actions: WARNING [ssh] Ban 173.45.241.236
2009-08-02 14:47:14,147 fail2ban.actions: WARNING [ssh] Ban 124.124.9.43
2009-08-07 23:35:22,597 fail2ban.actions: WARNING [ssh] Ban 202.109.242.18
2009-08-12 20:06:36,877 fail2ban.actions: WARNING [ssh] Ban 222.242.186.83
2009-08-13 19:01:42,967 fail2ban.actions: WARNING [ssh] Ban 85.115.100.144
2009-08-13 22:27:14,007 fail2ban.actions: WARNING [ssh] Ban 98.112.35.38
2009-08-14 01:32:15,057 fail2ban.actions: WARNING [ssh] Ban 219.237.197.158
2009-08-14 09:31:25,117 fail2ban.actions: WARNING [ssh] Ban 81.200.21.26
2009-08-16 12:12:31,627 fail2ban.actions: WARNING [ssh] Ban 221.233.134.124
2009-08-20 19:50:08,877 fail2ban.actions: WARNING [ssh] Ban 202.107.209.35
2009-08-22 12:20:31,127 fail2ban.actions: WARNING [ssh] Ban 115.108.25.2

That’s 28 attacks over the course of 48 days, originating from 26 different hosts (two were repeat offenders).

Digging through the regional Whois registries, we can discover the geographic locations of the network segments on which these remote IP addresses were assigned, and the names of the network operators:

IP address        Registry    Registrant, Location
83.15.85.210      RIPE        Bielany Wroclawskie, Warsaw, Poland
87.229.101.170    RIPE        Polgarhaz Holding Kft., Budapest, Hungary
211.155.227.18    APNIC       Netli.lic., Hangzhou, China
202.109.242.18    APNIC       China Telecom, Fujian Province, China
89.207.64.170     RIPE        Joint Stock Company Svyazist, Kstovo, Russia
91.83.48.226      RIPE        Inest Hosting, Szeged, Hungary
202.96.199.150    APNIC       China Telecom, Shanghai Province, China
80.190.191.124    RIPE        IP Exchange GmbH, Nuremberg, Germany
200.52.194.36     LACNIC      MegaCable SA de CV, Guadalajara, Mexico
222.68.194.69     APNIC       China Telecom, Shanghai Province, China
80.88.248.30      RIPE        2Connect WLL, Manama, Bahrain
72.44.174.162     ARIN        ATX Telecom Services, King Of Prussia, PA, USA
218.16.224.203    APNIC       China Telecom, Guangdong Province, China
125.208.3.9       APNIC       Beijing Primezone Technologies, Beijing, China
94.89.83.58       RIPE        Tendensia SRL, Castellaneta, Italy
80.86.201.29      RIPE        Green.ch AG, Brugg, Switzerland
173.45.241.236    ARIN        Slicehost LLC, St. Louis, MO, USA
124.124.9.43      APNIC       Reliance Communications Ltd, Mumbai, India
222.242.186.83    APNIC       China Telecom, Hunan Province, China
85.115.100.144    RIPE        Sia "Pronets", Riga, Latvia
98.112.35.38      ARIN        Verizon DSL, San Fernando, CA, USA
219.237.197.158   APNIC       Jin'Ou Building, Beijing, China
81.200.21.26      RIPE        SU29 Telecom, Moscow, Russia
221.233.134.124   APNIC       China Telecom, Hubei Province, China
202.107.209.35    APNIC       Ningbo Education Science Ctr, Zhejiang, China
115.108.25.2      APNIC       TATA Communications, Mumbai, India

The named registrants are network owners and operators, usually local ISPs, who of course represent non-complicit intermediaries and not the attackers themselves. But these records do accurately reflect the geographic locations of the remote hosts from which the intrusion attempts originated. The listed country, at a minimum, is very reliable; IP geolocation by country with Whois should be over 95% accurate.

There’s no mistaking that these attacks tend to originate from China and the former Soviet bloc. These areas are home to bustling cybercrime industries. Attackers seek to expose financial accounts presumed stored on servers, or to commandeer staging grounds for use in the infiltration of other lucrative targets.

This is just a tiny sample of all attack activity, being just one sensor on one port, on one host, on one network segment of the great wide internet that hackers direct their tools against. Attacks of this type and others, many of which are much more commonplace than SSH scans, originate from this same geographical profile.

How are you defending your network and data from these threats? Do you know about techniques for reducing your exposure? Let’s talk.