Something it's happening? Lots of attacks from NL

Hi guys, for couple days I look at Firewall logs, Country attacks.


I observed that Netherland has a lot of attacks, more than even Russia and China!
What is happening there? Any thoughts ?

Also, I observe that

The increased number of connections from NL began at the end of February/beginning of March 2022. (on my IPFires)

Most of the connections come from the IP address 89.248.165.249

WHOIS results from whois.ripe.net

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the “-B” flag.

% Information related to ‘89.248.165.0 - 89.248.165.255’

% Abuse contact for ‘89.248.165.0 - 89.248.165.255’ is ‘abuse@recyber.net’

inetnum: 89.248.165.0 - 89.248.165.255
netname: NET-2-165
descr: RECYBER PROJECT NETBLOCK
remarks: ±----------------------------------------------
remarks: | This net-block is not trying to hack you, we are only scanning
remarks: | for LEGIT purposes ONLY. This scanning is done by multiple
remarks: | security organizations.
remarks: | Please use The Recyber Project
remarks: | to have your ip-address and/or netblock/as number white-listed
remarks: | and excluded from this project.
remarks: | If you have any further questions please contact admin@recyber.net
remarks: ±----------------------------------------------
country: NL
org: ORG-IVI1-RIPE
geoloc: 52.370216 4.895168
admin-c: RR13369-RIPE
abuse-c: RR13369-RIPE
tech-c: RR13369-RIPE
status: ASSIGNED PA
mnt-by: IPV
mnt-lower: IPV
mnt-routes: IPV
created: 2019-02-03T20:52:14Z
last-modified: 2021-11-29T16:03:44Z
source: RIPE

organisation: ORG-IVI1-RIPE
org-name: IP Volume inc
org-type: OTHER
address: Suite 9
address: Victoria, Mahe
address: Seychelles
abuse-c: IVNO1-RIPE
mnt-ref: IPV
mnt-by: IPV
created: 2018-05-14T11:46:50Z
last-modified: 2019-01-31T14:39:36Z
source: RIPE # Filtered

role: RECYBER ROLE
address: 35 Firs Avenue, London, England, N11 3NE
abuse-mailbox: abuse@recyber.net
nic-hdl: RR13369-RIPE
mnt-by: IPV
created: 2021-01-27T15:12:59Z
last-modified: 2021-01-27T15:12:59Z
source: RIPE # Filtered

% Information related to ‘89.248.165.0/24AS202425’

route: 89.248.165.0/24
origin: AS202425
remarks: ±----------------------------------------------
remarks: | For abuse e-mail abuse@ipvolume.net
remarks: | We do not always reply to abuse.
remarks: | But we do take care your report is dealt with!
remarks: ±----------------------------------------------
mnt-by: IPV
created: 2019-02-08T15:42:07Z
last-modified: 2019-02-08T15:42:07Z
source: RIPE

% This query was served by the RIPE Database Query Service version 1.103 (WAGYU)

Below is a found thread about recyber:

1 Like

Hi,

ah, AS202425 is at work again.

It belongs to a known Dutch bulletproof ISP also known as “Ecatel”, “Quasi Networks”, “Novogara” and a few other names. They have been around for more than 20 years by now. See this newspaper article (accessible without JavaScript :wink: ) for some more details on them.

All networks operated or routed by this bulletproof ISP are covered by the “drop hostile” feature. One certainly does not want to process connections from and to that network (and might wonder why Dutch authorities do not take that provider down :frowning: ).

Thanks, and best regards,
Peter Müller

8 Likes

there is something wrong for sure. I always receive attack from 89.248.165.249 no matter what i do. I changed my public ip many time. I installed ipfire from scratch. As soon as the firewall is up, 89.248.165.249 is the first address in the log. Like if something in ipfire sending my public ip to attacker 89.248.165.249. I even disabled the icmp ping on red interface. Also i did a test with an isolated ipfire and it is always the same.

You can use the Whois ip tool.
Built into ipfire.

Whois IP 89.248.165.249
Updated 1 second ago

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '89.248.165.0 - 89.248.165.255'

% Abuse contact for '89.248.165.0 - 89.248.165.255' is 'email@recyber.net'

inetnum:        89.248.165.0 - 89.248.165.255
netname:        NET-2-165
descr:          RECYBER PROJECT NETBLOCK
remarks:        +-----------------------------------------------
remarks:        | This net-block is not trying to hack you, we are only scanning
remarks:        | for LEGIT purposes ONLY. This scanning is done by multiple
remarks:        | security organizations.
remarks:        | Please use https://www.recyber.net/opt-out
remarks:        | to have your ip-address and/or netblock/as number white-listed
remarks:        | and excluded from this project.
remarks:        | If you have any further questions please contact email@recyber.net
remarks:        +-----------------------------------------------
country:        NL
org:            ORG-IVI1-RIPE
geoloc:         52.370216 4.895168
admin-c:        RR13369-RIPE
abuse-c:        RR13369-RIPE
tech-c:         RR13369-RIPE
status:         ASSIGNED PA
mnt-by:         IPV
mnt-lower:      IPV
mnt-routes:     IPV
created:        2019-02-03T20:52:14Z
last-modified:  2021-11-29T16:03:44Z
source:         RIPE

organisation:   ORG-IVI1-RIPE
org-name:       IP Volume inc
org-type:       OTHER
address:        Suite 9
address:        Victoria, Mahe
address:        Seychelles
abuse-c:        IVNO1-RIPE
mnt-ref:        IPV
mnt-by:         IPV
created:        2018-05-14T11:46:50Z
last-modified:  2019-01-31T14:39:36Z
source:         RIPE # Filtered

role:           RECYBER ROLE
address:        35 Firs Avenue, London, England, N11 3NE
abuse-mailbox:  email@recyber.net
nic-hdl:        RR13369-RIPE
mnt-by:         IPV
created:        2021-01-27T15:12:59Z
last-modified:  2021-01-27T15:12:59Z
source:         RIPE # Filtered

% Information related to '89.248.165.0/24AS202425'

route:          89.248.165.0/24
origin:         AS202425
remarks:        +-----------------------------------------------
remarks:        | For abuse e-mail email@ipvolume.net
remarks:        | We do not always reply to abuse.
remarks:        | But we do take care your report is dealt with!
remarks:        +-----------------------------------------------
mnt-by:         IPV
created:        2019-02-08T15:42:07Z
last-modified:  2019-02-08T15:42:07Z
source:         RIPE

% This query was served by the RIPE Database Query Service version 1.103 (ANGUS)

Make a firewall rule to block them.
Or use libloc. To block by country.
Exactly why I started to block “NL”

thanks for the suggestion but i already did everything you said :slight_smile:

Hallo @hgsysit

Welcome to the IPFire community.

The internet is a hostile place these days so you will find lots of bad actors scanning your system. However, the default IPFire settings will stop anything getting into your network unless you have deliberately created a firewall rule to allow that IP access. The messages you are seeing in the logs should all be DROP messages.

If you have not turned on the Drop Hostile option under Firewall - Firewall Options then I would recommend doing so. This ensures that if there is something in your lan network that is trying to call one fo these hostile networks because some malware has found a way in, it will be stopped as the Drop Hostile stops any traffic in or out to those hostile networks.

4 Likes

Hi,

AS202425 and its neighbors are very frequently found to host machines that are aggressively scanning and conducting brute-force login attempts on a mass scale. Sometimes, they claim such activity is part of legitimate security research work (example), but the respective organizations seem dodgy at best, and rebrand frequently.

This time, it apparently is “Recyber” - “35 Firs Avenue” in London is, by the way, a virtual office address hosting shell corporations galore. I doubt any of the Recyber folks has ever visited this place… :slight_smile:

This is exactly why we came up with the “drop hostile” feature: Putting reputations to countries is sort of a non-optimal approach, as there are countries (such as US) which cannot be blocked entirely, but also host hostile (i.e. bulletproof and cybercrime) networks.

Thanks, and best regards,
Peter Müller

4 Likes

Now I had also this scans but i tried the opt-out option, lets have a look in 24h if anything is changing.

For me that are DROP_INPUT and not DROP_HOSTILE messages in the firewall log.

Hi,

presuming that you have “drop hostile” enabled, that’s odd.

  • What is the output of location version on your IPFire machine?
  • Which source IP addresses do the scans originate from?
  • Which Core Update are you running on?

Thanks, and best regards,
Peter Müller

please forget it, i have looked in the wrong tab, i have two IPs which scanned my network one from netherlands and one from india, but the Recyber one is DROP_Hostile and the india IP has DROP_Input. My fault.

1 Like

Update: Till now i get no more scans from www.recyber[DOT]net. So it seems to be useful to sign in opt-out, even if you have to enter a mail address.
There are other NL IPs from IPVolume in the log, but they are not so massive and apparently not from www.recyber[DOT]net.

1 Like

Yes, I was getting recently hammered with 10-20k packets per day from one of their single IP and suddenly after 4 days it stopped.

I think they just scan a range of IP’s so even if you change your public IP (RED) they will “find you” again

Keep us posted how the opt -out worked

1 Like

I think today is the first time when the number of IPs from RU in the firewall log surpassed the ones from NL.
Tight race :cowboy_hat_face:

Maybe the opt out worked?