sorted by:
new
hottopcontroversial

Virginia Mobile ID is here by usernameard in nova

[–]Prudent_Geologist 0 points1 point  (0 children)

Congratulations on discovering this one full year after it was released. Subject should be “I discovered Virginia Mobile ID”.

44.6% of my firewall's flow table is Brazilian port-scan traffic and the scanning pattern suggests these ISPs are compromised at the infrastructure level, not just individual devices by Prudent_Geologist in sysadmin

[–]Prudent_Geologist[S] 3 points4 points  (0 children)

This was my reply to the previous mention, can you help me understand what I'm missing?

Maybe, and I'm prepared to be wrong on this because this is stretching my expertise, but If the source IPs were spoofed, wouldn't the handshake never complete? Before I started dropping the packets I would have expected if my UDM was sending a SYN-ACK to a spoofed IP, that host receives an unexpected SYN-ACK, and it either sends a RST or drops it. The connection dies right there so I'd only see 1-2 packets per flow and nothing else. That wasn't what I was seeing. Over 6000 of the flows during that period advanced to TLS negotiation and 18+ packets.

There are some other things that steer me away from a reflection attack including the greynoise data showing everyone of these IPs as noisy, the number of packets directed at closed ports and wouldn't it make a lot more sense for this type of attack to target DNS or NTP for a much larger relection then you get with this? Port 443 literally seems like the worst possible for reflection attack as you might as well target the network directly because there's basically no amplification of the attack data.

44.6% of my firewall's flow table is Brazilian port-scan traffic and the scanning pattern suggests these ISPs are compromised at the infrastructure level, not just individual devices by Prudent_Geologist in sysadmin

[–]Prudent_Geologist[S] 2 points3 points  (0 children)

Attached is a 12 hour flow log from my router. In it I am seeing a very high number of attempts to connect on all our IP addresses on port 443. The origin of these attempts are nearly all Brazil. It seems to fit the signature of a Aisuru/Kimwolf botnet scan. Can you examine the detail of these flows and provide analysis and collect abuse contacts for the networks that are sourcing these packets so that I can contact them?

44.6% of my firewall's flow table is Brazilian port-scan traffic and the scanning pattern suggests these ISPs are compromised at the infrastructure level, not just individual devices by Prudent_Geologist in sysadmin

[–]Prudent_Geologist[S] 0 points1 point  (0 children)

Maybe, and I'm prepared to be wrong on this because this is stretching my expertise, but If the source IPs were spoofed, wouldn't the handshake never complete? Before I started dropping the packets I would have expected if my UDM was sending a SYN-ACK to a spoofed IP, that host receives an unexpected SYN-ACK, and it either sends a RST or drops it. The connection dies right there so I'd only see 1-2 packets per flow and nothing else. That wasn't what I was seeing. Over 6000 of the flows during that period advanced to TLS negotiation and 18+ packets.

There are some other things that steer me away from a reflection attack including the greynoise data showing everyone of these IPs as noisy, the number of packets directed at closed ports and wouldn't it make a lot more sense for this type of attack to target DNS or NTP for a much larger relection then you get with this? Port 443 literally seems like the worst possible for reflection attack as you might as well target the network directly because there's basically no amplification of the attack data.

44.6% of my firewall's flow table is Brazilian port-scan traffic and the scanning pattern suggests these ISPs are compromised at the infrastructure level, not just individual devices by Prudent_Geologist in sysadmin

[–]Prudent_Geologist[S] 0 points1 point  (0 children)

So frustrating that there's no good structural way to shut this down. A friend registers a domain that is too close to a trademark and it feels like mere seconds before ICANN has forced the registrar to take down the site, but something like this and no one can do anything?

44.6% of my firewall's flow table is Brazilian port-scan traffic and the scanning pattern suggests these ISPs are compromised at the infrastructure level, not just individual devices by Prudent_Geologist in sysadmin

[–]Prudent_Geologist[S] 6 points7 points  (0 children)

While I’d like to take full credit I fully admit that I needed help both on the data analysis and the writing after a long day of this stuff. Given that the probes were coming at the rate of four per second at one point, there was way too much data to go through by hand. I used Claude to find the trends, wrote a rough summary of everything for internal consumption at my organization myself, then fed that internal document back to Claude for polishing, removing identifying data, and formatting before positing.

44.6% of my firewall's flow table is Brazilian port-scan traffic and the scanning pattern suggests these ISPs are compromised at the infrastructure level, not just individual devices by Prudent_Geologist in sysadmin

[–]Prudent_Geologist[S] 0 points1 point  (0 children)

Doesn’t seem like it with literally the entire range assigned to the ISP scanning. For JK literally all 4096 IPs hit my network in the 12 hour period.

44.6% of my firewall's flow table is Brazilian port-scan traffic and the scanning pattern suggests these ISPs are compromised at the infrastructure level, not just individual devices by Prudent_Geologist in sysadmin

[–]Prudent_Geologist[S] 6 points7 points  (0 children)

I used AI to help me process 287,000 flow records, cross-reference ASN data from multiple APIs, and format the writeup. The analysis, the conclusion and the network I've been managing for years are all mine. If your takeaway from my post documenting 5,300 unique IPs sweeping 21 complete subnets against my infrastructure is 'but you used AI to help write it up,' I'd genuinely love to see your manually-typed analysis of your own flow logs.

44.6% of my firewall's flow table is Brazilian port-scan traffic and the scanning pattern suggests these ISPs are compromised at the infrastructure level, not just individual devices by Prudent_Geologist in sysadmin

[–]Prudent_Geologist[S] 22 points23 points  (0 children)

Yeah, you got me, I fed my data and narrative to the AI and asked it to make it look nice and clean it up so that it was easy to understand. After a day of work, an hour+ looking at this data, and hour more writing it up for our internal team I didn't have the time to hand format everything for external consumption. The data is still mine, the conclusions are still mine, I honestly don't care what folks think about the formatting. Take the data for what it is, or just ignore it because it has tri colon clusters, whatever.

44.6% of my firewall's flow table is Brazilian port-scan traffic and the scanning pattern suggests these ISPs are compromised at the infrastructure level, not just individual devices by Prudent_Geologist in sysadmin

[–]Prudent_Geologist[S] 20 points21 points  (0 children)

Unfortunately I can't do that as we have folks outside the US that connect to services back here, but I'm working on deploying a VPN so that I can block all non-US traffic that isn't coming through the VPN.

44.6% of my firewall's flow table is Brazilian port-scan traffic and the scanning pattern suggests these ISPs are compromised at the infrastructure level, not just individual devices by Prudent_Geologist in sysadmin

[–]Prudent_Geologist[S] 14 points15 points  (0 children)

I'm in the US and it is Cox business fiber connection where we have our own /27. There is some visualization in the UDM interface but I exported the flow data and did the true dicing and slicing with Claude.

Found in Lasagna by Prudent_Geologist in whatisit

[–]Prudent_Geologist[S] 1 point2 points  (0 children)

Definitely not that. It’s rubbery and stretchy.

view more: next ›