Time to tally up the new results since my last report on network intruder geolocation using Whois. Will the trend showing two-thirds of attackers as hailing from China, Russia and the former Soviet bloc hold for this new integration period? Place your bets.
2009-08-23 09:21:13,847 fail2ban.actions: WARNING [ssh] Ban 218.32.80.168 2009-08-23 14:44:24,907 fail2ban.actions: WARNING [ssh] Ban 62.60.136.145 2009-08-24 08:49:00,997 fail2ban.actions: WARNING [ssh] Ban 93.186.192.46 2009-08-31 06:14:55,887 fail2ban.actions: WARNING [ssh] Ban 190.2.57.137 2009-08-31 15:14:19,937 fail2ban.actions: WARNING [ssh] Ban 121.78.237.148 2009-09-03 20:00:12,137 fail2ban.actions: WARNING [ssh] Ban 211.157.108.140 2009-09-03 20:19:31,177 fail2ban.actions: WARNING [ssh] Ban 211.157.108.140 2009-09-04 14:39:30,267 fail2ban.actions: WARNING [ssh] Ban 219.143.251.37 2009-09-05 05:46:46,337 fail2ban.actions: WARNING [ssh] Ban 201.27.1.91 2009-09-05 17:51:28,387 fail2ban.actions: WARNING [ssh] Ban 193.194.69.164 2009-09-05 20:02:32,427 fail2ban.actions: WARNING [ssh] Ban 98.124.82.222 2009-09-07 06:33:02,187 fail2ban.actions: WARNING [ssh] Ban 80.48.178.2 2009-09-08 16:17:26,277 fail2ban.actions: WARNING [ssh] Ban 219.134.242.67 2009-09-09 22:49:12,367 fail2ban.actions: WARNING [ssh] Ban 61.129.60.23 2009-09-10 04:44:55,447 fail2ban.actions: WARNING [ssh] Ban 222.68.194.69 2009-09-10 16:36:47,517 fail2ban.actions: WARNING [ssh] Ban 124.128.93.118 2009-09-11 06:06:07,627 fail2ban.actions: WARNING [ssh] Ban 93.152.158.26 2009-09-13 08:33:49,037 fail2ban.actions: WARNING [ssh] Ban 212.72.132.166 2009-09-13 14:39:57,127 fail2ban.actions: WARNING [ssh] Ban 208.94.173.137 2009-09-14 10:34:19,207 fail2ban.actions: WARNING [ssh] Ban 12.120.201.208 2009-09-15 12:06:46,279 fail2ban.actions: WARNING [ssh] Ban 118.102.25.161 2009-09-16 03:46:53,866 fail2ban.actions: WARNING [ssh] Ban 80.48.178.2 2009-09-16 15:27:42,936 fail2ban.actions: WARNING [ssh] Ban 211.242.211.44 2009-09-17 11:52:43,066 fail2ban.actions: WARNING [ssh] Ban 174.143.214.143 2009-09-18 03:06:10,136 fail2ban.actions: WARNING [ssh] Ban 80.48.178.2 2009-09-18 09:28:54,176 fail2ban.actions: WARNING [ssh] Ban 202.65.129.106 2009-09-18 13:58:47,216 fail2ban.actions: WARNING [ssh] Ban 61.129.60.23 2009-09-19 21:27:59,326 fail2ban.actions: WARNING [ssh] Ban 218.206.27.9 2009-09-22 09:32:49,806 fail2ban.actions: WARNING [ssh] Ban 118.213.88.7 2009-09-22 14:17:04,846 fail2ban.actions: WARNING [ssh] Ban 81.200.21.26 2009-09-23 06:10:49,936 fail2ban.actions: WARNING [ssh] Ban 72.249.66.204 2009-09-24 07:05:45,006 fail2ban.actions: WARNING [ssh] Ban 117.41.168.90 2009-09-25 17:23:18,136 fail2ban.actions: WARNING [ssh] Ban 117.135.9.34 2009-09-27 04:08:28,236 fail2ban.actions: WARNING [ssh] Ban 61.129.60.23 2009-09-27 09:28:05,586 fail2ban.actions: WARNING [ssh] Ban 122.200.82.161 2009-09-27 11:13:12,626 fail2ban.actions: WARNING [ssh] Ban 61.152.95.172 2009-09-28 12:08:31,696 fail2ban.actions: WARNING [ssh] Ban 60.251.154.27 2009-09-28 19:05:32,746 fail2ban.actions: WARNING [ssh] Ban 217.24.240.88 2009-09-29 09:10:07,806 fail2ban.actions: WARNING [ssh] Ban 204.124.181.80 2009-09-30 02:53:46,886 fail2ban.actions: WARNING [ssh] Ban 80.48.178.2 2009-10-04 00:38:25,096 fail2ban.actions: WARNING [ssh] Ban 202.106.124.227 2009-10-04 04:24:24,136 fail2ban.actions: WARNING [ssh] Ban 89.43.80.249 2009-10-04 08:34:45,546 fail2ban.actions: WARNING [ssh] Ban 212.50.27.194 2009-10-05 05:14:35,673 fail2ban.actions: WARNING [ssh] Ban 58.61.149.213 2009-10-05 21:58:46,756 fail2ban.actions: WARNING [ssh] Ban 95.156.204.6 2009-10-06 10:57:48,836 fail2ban.actions: WARNING [ssh] Ban 124.116.26.6 2009-10-06 18:30:14,906 fail2ban.actions: WARNING [ssh] Ban 82.226.213.131 2009-10-07 08:40:50,956 fail2ban.actions: WARNING [ssh] Ban 91.187.129.20 2009-10-07 09:46:52,006 fail2ban.actions: WARNING [ssh] Ban 203.92.35.148
Attackers certainly got down to business, attacking 49 times over the course of 46 days, a 75% increase in attack volume over the previous period of like duration. Attacks originated from 43 different hosts, three of which were repeat offenders. Host address 80.48.178.2 topped the “serial offender” category, getting banned four times in a 23 day window. Host address 61.129.60.23 got banned three times in a 19 day window.
Turning to the Whois registries for the geographic locations of our new friends, we find:
IP address Registry Registrant, Location 218.32.80.168 APNIC New Centry InfoComm, Taipei, Taiwan 62.60.136.145 RIPE Iranian Research Org Sci/Tech, Tehran, Iran 93.186.192.46 RIPE Fast IT GmbH, Dusseldorf, Germany 190.2.57.137 LACNIC NSS S.A., Buenos Aires, Argentina 121.78.237.148 APNIC Kinx Inc, Seoul, South Korea 211.157.108.140 APNIC Chinacomm, Beijing, China 219.143.251.37 APNIC Jewim Pharmaceutical Inc, Beijing, China 201.27.1.91 LACNIC Telecom De Sao Paulo S.A., Sao Paulo, Brazil 193.194.69.164 AfriNIC Research Ctr Sci/Tech Info, Algiers, Algeria 98.124.82.222 ARIN Home Telephone Co Inc, Moncks Corner, SC, USA 80.48.178.2 RIPE ART-COM s.c., Kamiensk, Poland 219.134.242.67 APNIC "Big Customer Department", Guangzhou, China 61.129.60.23 APNIC Shanghai Tel Corp EDI Branch, Shanghai, China 222.68.194.69 APNIC China Telecom, Shanghai Province, China 124.128.93.118 APNIC Jinan Xinyueliang Net Bar, Shandong Prv, China 93.152.158.26 RIPE OnlineDirect, Sofia, Bulgaria 212.72.132.166 RIPE Sa*Net Network, Tbilisi, Georgia 208.94.173.137 ARIN Carrier Connex Inc, Toronto, Ontario, Canada 12.120.201.208 ARIN AT&T WorldNet Services, Morristown, NJ, USA 118.102.25.161 APNIC Langfang Univ Devlpmt Area, Hebei Prv, China 211.242.211.44 APNIC Dreamline Co, Seoul, South Korea 174.143.214.143 ARIN Rackspace/Slicehost, San Antonio, TX, USA 202.65.129.106 APNIC Pioneer Online Pvt Ltd, Hyderabad, India 218.206.27.9 APNIC China Mobile, Chongqing, China 118.213.88.7 APNIC Xi Ning Telecom, QingHai Province, China 81.200.21.26 RIPE SU29 Telecom, Moscow, Russia 72.249.66.204 ARIN Colo4Dallas/RimuHosting, Dallas, TX, USA 117.41.168.90 APNIC China Telecom, Jiangxi Province, China 117.135.9.34 APNIC China Mobile, Beijing, China 122.200.82.161 APNIC HeJu ShuZi Telecom Engg, Beijing, China 61.152.95.172 APNIC China Telecom, Shanghai Province, China 60.251.154.27 APNIC Chunghwa Telecom, Taipei, Taiwan 217.24.240.88 RIPE Albtelecom Sh.a., Tirana, Albania 204.124.181.80 ARIN VolumeDrive, Clarks Summit, PA, USA 202.106.124.227 APNIC China Unicom, Beijing, China 89.43.80.249 RIPE Sc Century Net SRL, Suceava, Romania 212.50.27.194 RIPE ProGroup BG, Rousse, Bulgaria 58.61.149.213 APNIC China Telecom, Guangdong Province, China 95.156.204.6 RIPE Weblino.de, Polch, Germany 124.116.26.6 APNIC China Telecom, Shanxi Province, China 82.226.213.131 RIPE Proxad / Free SAS, Paris, France 91.187.129.20 RIPE Bolnica Valjevo, Belgrade, Serbia 203.92.35.148 APNIC Spectranet, New Delhi, India
To reiterate, the named registrants are network owners and operators, usually local ISPs, who are non-complicit bystanders in this hackery and do not represent the attackers themselves. (But a few do have hilarious names. E.g., Please hold while I transfer you to “Big Customer Department”.)
Finally, the results:
The trend from last time remains intact: Attacks tend to originate from the bustling cybercrime industries of China, Russia, and the environs of Eastern Europe a.k.a. the former Soviet bloc, arriving from these zones roughly two-thirds of the time. Highlighting the trend, our 4x serial attacker was located in Poland, and our 3x serial attacker in Shanghai.
Something bothered me about this analysis: What if some originating hosts were themselves drone systems, previously compromised by a hacker in an entirely different zone from their given location, mounting intrusion attempts through them from a posture of indirection. Could this throw off the results? Thinking about it, I concluded that while definitely present, it cuts both ways. Attackers in China could be one hop behind attacks appearing to originate from the USA, just as well as attackers from the USA could be one hop behind attacks appearing to originate from Russia, just as well as attackers from Zimbabwe could be one hop behind attacks appearing to originate from Germany, etc. On balance, we may assume these effects cancel each other out. What’s more, if attackers are geographically concentrated, and an indirection effect is present, it would tend to skew the data away from the concentrations, implying that attackers are even more strongly concentrated than first inferred.
I noticed a number of users discussing this same trend on various blogs and security forums have taken this finding and run with it, and blocked, for example, the entire .ru country code from their network. Aggressive, but questionably effective, and not something I practice… but an example of countermeasures one could mount.
If you have exposure to the wide area network, and you prefer not to have your personal and customer data breached, your systems defaced and your ability to do business interrupted, it is crucial to mitigate your risk to network intrusion, and many other salient security risks, with appropriate countermeasures. I can show you techniques for preventing attackers from breaking in to your systems. Don’t wait until the damage is done!