Absurd Amount of Miscreant Activity Lately

These are just the IP’s blocked and reported by my servers in 12 minutes.

Someone must have released a new SSH brute force tool because attacks on SSHD have outnumbered everything else combined for the past five days or so, even including port scans, which are usually number one.

Richard

I see quite a few are from India. Sad that my country’s government is leading the world in internet shutdowns but not shutting down online scammers and crackers.

2 Likes

I suspect that most of the entities that own the IP’s have little or no association with the people doing the mischief. That’s why my own blocklists are self-rehabilitating. Every new attack resets the clock, as it were. If the attacks cease, the IP is removed from the database about three days later. Most of the IP owners are innocent.

It’s like spam. Addresses on Gmail and on Microsoft’s various email domains together account for 80 - 90 percent of my incoming spam. But it’s not Google or Microsoft who are sending the spam.

Richard

I have no idea about what is going on, though in all fairness, i also see an increase in the attack rate on SSH. currently most of my machines have about 40 IP’s banned, some of which are in the same /16 or even /24 of the IP’s from the OP.

It is nowhere near the level of what was happening when the war in Ukraine started, i had a few days with over 100 banned IP’s in the lists then, though I for sure agree that there seems to be something happening again.

Steven

1 Like

Right now I have 5,887 IP’s in the database. Those have all been banned / reported in the past 72 to 96 hours. The cron job to prune the database (and thus rehabilitate the IP’s) runs every night and removes all IP’s that haven’t offended for 72 hours.

The database represents the total of all reports of mischief of any sort made by any of the servers in the cohort. SSHD attacks have been predominating for the past few days.

Richard