View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions Attack. 27,000 log in attempts in 32 hours from 141.98.9.0/24. According to Blackhat, I'm not alone.
Log in to Ask a Question

Attack. 27,000 log in attempts in 32 hours from 141.98.9.0/24. According to Blackhat, I'm not alone.

I am under attack. 27,000 log in attempts in 32 hours from 141.98.9.0/24. According to Blackhat, I'm not alone. I've set my IPTables to drop the traffic. Can Linnode do anything further?
The bad requests come to 45.56.76.137:25

4 Replies

Linode Staff

It sounds like you’ve already made some great moves by adjusting iptables to drop the traffic! Hopefully this has reduced the effects that you’re feeling from this attack.

Because this IP address isn’t one of ours, we’re limited in the action that we can take.

It looks like the abuse contact for the attacking IP address is:

$ whois 141.98.9.0/24 | grep -i "abuse contact"
% Abuse contact for '141.98.9.0 - 141.98.9.255' is 'Abuse@speedybgp.com'

I would suggest reaching out to them at Abuse@speedybgp.com to report the attack if you haven't already, and hopefully they will mitigate it quickly.

Something that might be useful to you is Fail2ban, which can help in the future with identifying attacks on your Linode, and can also add rules to iptables for you to mitigate attacks.

Use Fail2ban to Secure Your Server

Thanks for the tips. fail2ban is working. It did add the ip table rules to drop the traffic. Writing to Abuse@speedybgp.com isn't like responding to spam e-mail? I mean, is that helping the bad guy by showing that I'm here and watching and my email address is ….. ?

Linode Staff

@philnorcross That's a really interesting question — I consulted our Trust & Safety team on this and had a great discussion which I'll summarize here.

While IP ranges are expensive and contacting their owners is generally low risk (it's much more likely that one of their customers is the source of the abusive traffic), there are certainly measures you can take to protect yourself from retaliation, particularly if the IP owner doesn't look very reputable:

  • First, you could send the report from a temporary, anonymous email address.
  • Second, you could sanitize any log files you include in your report evidencing the abuse traffic to remove references to your own IP addresses (you may want to edit out the reference to your own IP in your original post as well).

Otherwise, if you find that abusive traffic is negatively impacting your business, you'd need to reach out to law enforcement for recourse. Notably, IP address registration authorities like IANA won't be able to help with abuse.

Thanks bbigger. Those are good ideas.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct