Something it's happening?

Hi guys, for couple days I look at Firewall logs, Country attacks.

I observed that Netherland has a lot of attacks, more than even Russia and China!
What is happening there? Any thoughts ?

Also, I observe that

The increased number of connections from NL began at the end of February/beginning of March 2022. (on my IPFires)

Most of the connections come from the IP address

WHOIS results from

% This is the RIPE Database query service.
% The objects are in RPSL format.
% The RIPE Database is subject to Terms and Conditions.
% See

% Note: this output has been filtered.
% To receive output for a database update, use the “-B” flag.

% Information related to ‘ -’

% Abuse contact for ‘ -’ is ‘’

inetnum: -
netname: NET-2-165
remarks: ±----------------------------------------------
remarks: | This net-block is not trying to hack you, we are only scanning
remarks: | for LEGIT purposes ONLY. This scanning is done by multiple
remarks: | security organizations.
remarks: | Please use The Recyber Project
remarks: | to have your ip-address and/or netblock/as number white-listed
remarks: | and excluded from this project.
remarks: | If you have any further questions please contact
remarks: ±----------------------------------------------
country: NL
geoloc: 52.370216 4.895168
admin-c: RR13369-RIPE
abuse-c: RR13369-RIPE
tech-c: RR13369-RIPE
mnt-by: IPV
mnt-lower: IPV
mnt-routes: IPV
created: 2019-02-03T20:52:14Z
last-modified: 2021-11-29T16:03:44Z
source: RIPE

organisation: ORG-IVI1-RIPE
org-name: IP Volume inc
org-type: OTHER
address: Suite 9
address: Victoria, Mahe
address: Seychelles
abuse-c: IVNO1-RIPE
mnt-ref: IPV
mnt-by: IPV
created: 2018-05-14T11:46:50Z
last-modified: 2019-01-31T14:39:36Z
source: RIPE # Filtered

address: 35 Firs Avenue, London, England, N11 3NE
nic-hdl: RR13369-RIPE
mnt-by: IPV
created: 2021-01-27T15:12:59Z
last-modified: 2021-01-27T15:12:59Z
source: RIPE # Filtered

% Information related to ‘’

origin: AS202425
remarks: ±----------------------------------------------
remarks: | For abuse e-mail
remarks: | We do not always reply to abuse.
remarks: | But we do take care your report is dealt with!
remarks: ±----------------------------------------------
mnt-by: IPV
created: 2019-02-08T15:42:07Z
last-modified: 2019-02-08T15:42:07Z
source: RIPE

% This query was served by the RIPE Database Query Service version 1.103 (WAGYU)

Below is a found thread about recyber:

1 Like


ah, AS202425 is at work again.

It belongs to a known Dutch bulletproof ISP also known as “Ecatel”, “Quasi Networks”, “Novogara” and a few other names. They have been around for more than 20 years by now. See this newspaper article (accessible without JavaScript :wink: ) for some more details on them.

All networks operated or routed by this bulletproof ISP are covered by the “drop hostile” feature. One certainly does not want to process connections from and to that network (and might wonder why Dutch authorities do not take that provider down :frowning: ).

Thanks, and best regards,
Peter Müller