Network Attackers: Where In The World 2

Time to tally up the new results since my last report on network intruder geolocation using Whois. Will the trend showing two-thirds of attackers as hailing from China, Russia and the former Soviet bloc hold for this new integration period? Place your bets.

2009-08-23 09:21:13,847 fail2ban.actions: WARNING [ssh] Ban 218.32.80.168
2009-08-23 14:44:24,907 fail2ban.actions: WARNING [ssh] Ban 62.60.136.145
2009-08-24 08:49:00,997 fail2ban.actions: WARNING [ssh] Ban 93.186.192.46
2009-08-31 06:14:55,887 fail2ban.actions: WARNING [ssh] Ban 190.2.57.137
2009-08-31 15:14:19,937 fail2ban.actions: WARNING [ssh] Ban 121.78.237.148
2009-09-03 20:00:12,137 fail2ban.actions: WARNING [ssh] Ban 211.157.108.140
2009-09-03 20:19:31,177 fail2ban.actions: WARNING [ssh] Ban 211.157.108.140
2009-09-04 14:39:30,267 fail2ban.actions: WARNING [ssh] Ban 219.143.251.37
2009-09-05 05:46:46,337 fail2ban.actions: WARNING [ssh] Ban 201.27.1.91
2009-09-05 17:51:28,387 fail2ban.actions: WARNING [ssh] Ban 193.194.69.164
2009-09-05 20:02:32,427 fail2ban.actions: WARNING [ssh] Ban 98.124.82.222
2009-09-07 06:33:02,187 fail2ban.actions: WARNING [ssh] Ban 80.48.178.2
2009-09-08 16:17:26,277 fail2ban.actions: WARNING [ssh] Ban 219.134.242.67
2009-09-09 22:49:12,367 fail2ban.actions: WARNING [ssh] Ban 61.129.60.23
2009-09-10 04:44:55,447 fail2ban.actions: WARNING [ssh] Ban 222.68.194.69
2009-09-10 16:36:47,517 fail2ban.actions: WARNING [ssh] Ban 124.128.93.118
2009-09-11 06:06:07,627 fail2ban.actions: WARNING [ssh] Ban 93.152.158.26
2009-09-13 08:33:49,037 fail2ban.actions: WARNING [ssh] Ban 212.72.132.166
2009-09-13 14:39:57,127 fail2ban.actions: WARNING [ssh] Ban 208.94.173.137
2009-09-14 10:34:19,207 fail2ban.actions: WARNING [ssh] Ban 12.120.201.208
2009-09-15 12:06:46,279 fail2ban.actions: WARNING [ssh] Ban 118.102.25.161
2009-09-16 03:46:53,866 fail2ban.actions: WARNING [ssh] Ban 80.48.178.2
2009-09-16 15:27:42,936 fail2ban.actions: WARNING [ssh] Ban 211.242.211.44
2009-09-17 11:52:43,066 fail2ban.actions: WARNING [ssh] Ban 174.143.214.143
2009-09-18 03:06:10,136 fail2ban.actions: WARNING [ssh] Ban 80.48.178.2
2009-09-18 09:28:54,176 fail2ban.actions: WARNING [ssh] Ban 202.65.129.106
2009-09-18 13:58:47,216 fail2ban.actions: WARNING [ssh] Ban 61.129.60.23
2009-09-19 21:27:59,326 fail2ban.actions: WARNING [ssh] Ban 218.206.27.9
2009-09-22 09:32:49,806 fail2ban.actions: WARNING [ssh] Ban 118.213.88.7
2009-09-22 14:17:04,846 fail2ban.actions: WARNING [ssh] Ban 81.200.21.26
2009-09-23 06:10:49,936 fail2ban.actions: WARNING [ssh] Ban 72.249.66.204
2009-09-24 07:05:45,006 fail2ban.actions: WARNING [ssh] Ban 117.41.168.90
2009-09-25 17:23:18,136 fail2ban.actions: WARNING [ssh] Ban 117.135.9.34
2009-09-27 04:08:28,236 fail2ban.actions: WARNING [ssh] Ban 61.129.60.23
2009-09-27 09:28:05,586 fail2ban.actions: WARNING [ssh] Ban 122.200.82.161
2009-09-27 11:13:12,626 fail2ban.actions: WARNING [ssh] Ban 61.152.95.172
2009-09-28 12:08:31,696 fail2ban.actions: WARNING [ssh] Ban 60.251.154.27
2009-09-28 19:05:32,746 fail2ban.actions: WARNING [ssh] Ban 217.24.240.88
2009-09-29 09:10:07,806 fail2ban.actions: WARNING [ssh] Ban 204.124.181.80
2009-09-30 02:53:46,886 fail2ban.actions: WARNING [ssh] Ban 80.48.178.2
2009-10-04 00:38:25,096 fail2ban.actions: WARNING [ssh] Ban 202.106.124.227
2009-10-04 04:24:24,136 fail2ban.actions: WARNING [ssh] Ban 89.43.80.249
2009-10-04 08:34:45,546 fail2ban.actions: WARNING [ssh] Ban 212.50.27.194
2009-10-05 05:14:35,673 fail2ban.actions: WARNING [ssh] Ban 58.61.149.213
2009-10-05 21:58:46,756 fail2ban.actions: WARNING [ssh] Ban 95.156.204.6
2009-10-06 10:57:48,836 fail2ban.actions: WARNING [ssh] Ban 124.116.26.6
2009-10-06 18:30:14,906 fail2ban.actions: WARNING [ssh] Ban 82.226.213.131
2009-10-07 08:40:50,956 fail2ban.actions: WARNING [ssh] Ban 91.187.129.20
2009-10-07 09:46:52,006 fail2ban.actions: WARNING [ssh] Ban 203.92.35.148

Attackers certainly got down to business, attacking 49 times over the course of 46 days, a 75% increase in attack volume over the previous period of like duration. Attacks originated from 43 different hosts, three of which were repeat offenders. Host address 80.48.178.2 topped the “serial offender” category, getting banned four times in a 23 day window. Host address 61.129.60.23 got banned three times in a 19 day window.

Turning to the Whois registries for the geographic locations of our new friends, we find:

IP address        Registry    Registrant, Location
218.32.80.168     APNIC       New Centry InfoComm, Taipei, Taiwan
62.60.136.145     RIPE        Iranian Research Org Sci/Tech, Tehran, Iran
93.186.192.46     RIPE        Fast IT GmbH, Dusseldorf, Germany
190.2.57.137      LACNIC      NSS S.A., Buenos Aires, Argentina
121.78.237.148    APNIC       Kinx Inc, Seoul, South Korea
211.157.108.140   APNIC       Chinacomm, Beijing, China
219.143.251.37    APNIC       Jewim Pharmaceutical Inc, Beijing, China
201.27.1.91       LACNIC      Telecom De Sao Paulo S.A., Sao Paulo, Brazil
193.194.69.164    AfriNIC     Research Ctr Sci/Tech Info, Algiers, Algeria
98.124.82.222     ARIN        Home Telephone Co Inc, Moncks Corner, SC, USA
80.48.178.2       RIPE        ART-COM s.c., Kamiensk, Poland
219.134.242.67    APNIC       "Big Customer Department", Guangzhou, China
61.129.60.23      APNIC       Shanghai Tel Corp EDI Branch, Shanghai, China
222.68.194.69     APNIC       China Telecom, Shanghai Province, China
124.128.93.118    APNIC       Jinan Xinyueliang Net Bar, Shandong Prv, China
93.152.158.26     RIPE        OnlineDirect, Sofia, Bulgaria
212.72.132.166    RIPE        Sa*Net Network, Tbilisi, Georgia
208.94.173.137    ARIN        Carrier Connex Inc, Toronto, Ontario, Canada
12.120.201.208    ARIN        AT&T WorldNet Services, Morristown, NJ, USA
118.102.25.161    APNIC       Langfang Univ Devlpmt Area, Hebei Prv, China
211.242.211.44    APNIC       Dreamline Co, Seoul, South Korea
174.143.214.143   ARIN        Rackspace/Slicehost, San Antonio, TX, USA
202.65.129.106    APNIC       Pioneer Online Pvt Ltd, Hyderabad, India
218.206.27.9      APNIC       China Mobile, Chongqing, China
118.213.88.7      APNIC       Xi Ning Telecom, QingHai Province, China
81.200.21.26      RIPE        SU29 Telecom, Moscow, Russia
72.249.66.204     ARIN        Colo4Dallas/RimuHosting, Dallas, TX, USA
117.41.168.90     APNIC       China Telecom, Jiangxi Province, China
117.135.9.34      APNIC       China Mobile, Beijing, China
122.200.82.161    APNIC       HeJu ShuZi Telecom Engg, Beijing, China
61.152.95.172     APNIC       China Telecom, Shanghai Province, China
60.251.154.27     APNIC       Chunghwa Telecom, Taipei, Taiwan
217.24.240.88     RIPE        Albtelecom Sh.a., Tirana, Albania
204.124.181.80    ARIN        VolumeDrive, Clarks Summit, PA, USA
202.106.124.227   APNIC       China Unicom, Beijing, China
89.43.80.249      RIPE        Sc Century Net SRL, Suceava, Romania
212.50.27.194     RIPE        ProGroup BG, Rousse, Bulgaria
58.61.149.213     APNIC       China Telecom, Guangdong Province, China
95.156.204.6      RIPE        Weblino.de, Polch, Germany
124.116.26.6      APNIC       China Telecom, Shanxi Province, China
82.226.213.131    RIPE        Proxad / Free SAS, Paris, France
91.187.129.20     RIPE        Bolnica Valjevo, Belgrade, Serbia
203.92.35.148     APNIC       Spectranet, New Delhi, India

To reiterate, the named registrants are network owners and operators, usually local ISPs, who are non-complicit bystanders in this hackery and do not represent the attackers themselves. (But a few do have hilarious names. E.g., Please hold while I transfer you to “Big Customer Department”.)

Finally, the results:

SSH Scans by Region

The trend from last time remains intact: Attacks tend to originate from the bustling cybercrime industries of China, Russia, and the environs of Eastern Europe a.k.a. the former Soviet bloc, arriving from these zones roughly two-thirds of the time. Highlighting the trend, our 4x serial attacker was located in Poland, and our 3x serial attacker in Shanghai.

Something bothered me about this analysis: What if some originating hosts were themselves drone systems, previously compromised by a hacker in an entirely different zone from their given location, mounting intrusion attempts through them from a posture of indirection. Could this throw off the results? Thinking about it, I concluded that while definitely present, it cuts both ways. Attackers in China could be one hop behind attacks appearing to originate from the USA, just as well as attackers from the USA could be one hop behind attacks appearing to originate from Russia, just as well as attackers from Zimbabwe could be one hop behind attacks appearing to originate from Germany, etc. On balance, we may assume these effects cancel each other out. What’s more, if attackers are geographically concentrated, and an indirection effect is present, it would tend to skew the data away from the concentrations, implying that attackers are even more strongly concentrated than first inferred.

I noticed a number of users discussing this same trend on various blogs and security forums have taken this finding and run with it, and blocked, for example, the entire .ru country code from their network. Aggressive, but questionably effective, and not something I practice… but an example of countermeasures one could mount.

If you have exposure to the wide area network, and you prefer not to have your personal and customer data breached, your systems defaced and your ability to do business interrupted, it is crucial to mitigate your risk to network intrusion, and many other salient security risks, with appropriate countermeasures. I can show you techniques for preventing attackers from breaking in to your systems. Don’t wait until the damage is done!

Resources

Wikipedia: WHOIS

ARIN Whois Lookup

APNIC Whois Lookup

RIPE Whois Lookup

LACNIC Whois Lookup

AfriNIC Whois Lookup

Posted in Network Security

Leave a Reply

Your email address will not be published. Required fields are marked *

*


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Top