Something it's happening?

Hi guys, for couple days I look at Firewall logs, Country attacks.


I observed that Netherland has a lot of attacks, more than even Russia and China!
What is happening there? Any thoughts ?

Also, I observe that

The increased number of connections from NL began at the end of February/beginning of March 2022. (on my IPFires)

Most of the connections come from the IP address 89.248.165.249

WHOIS results from whois.ripe.net

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the “-B” flag.

% Information related to ‘89.248.165.0 - 89.248.165.255’

% Abuse contact for ‘89.248.165.0 - 89.248.165.255’ is ‘abuse@recyber.net’

inetnum: 89.248.165.0 - 89.248.165.255
netname: NET-2-165
descr: RECYBER PROJECT NETBLOCK
remarks: ±----------------------------------------------
remarks: | This net-block is not trying to hack you, we are only scanning
remarks: | for LEGIT purposes ONLY. This scanning is done by multiple
remarks: | security organizations.
remarks: | Please use The Recyber Project
remarks: | to have your ip-address and/or netblock/as number white-listed
remarks: | and excluded from this project.
remarks: | If you have any further questions please contact admin@recyber.net
remarks: ±----------------------------------------------
country: NL
org: ORG-IVI1-RIPE
geoloc: 52.370216 4.895168
admin-c: RR13369-RIPE
abuse-c: RR13369-RIPE
tech-c: RR13369-RIPE
status: ASSIGNED PA
mnt-by: IPV
mnt-lower: IPV
mnt-routes: IPV
created: 2019-02-03T20:52:14Z
last-modified: 2021-11-29T16:03:44Z
source: RIPE

organisation: ORG-IVI1-RIPE
org-name: IP Volume inc
org-type: OTHER
address: Suite 9
address: Victoria, Mahe
address: Seychelles
abuse-c: IVNO1-RIPE
mnt-ref: IPV
mnt-by: IPV
created: 2018-05-14T11:46:50Z
last-modified: 2019-01-31T14:39:36Z
source: RIPE # Filtered

role: RECYBER ROLE
address: 35 Firs Avenue, London, England, N11 3NE
abuse-mailbox: abuse@recyber.net
nic-hdl: RR13369-RIPE
mnt-by: IPV
created: 2021-01-27T15:12:59Z
last-modified: 2021-01-27T15:12:59Z
source: RIPE # Filtered

% Information related to ‘89.248.165.0/24AS202425’

route: 89.248.165.0/24
origin: AS202425
remarks: ±----------------------------------------------
remarks: | For abuse e-mail abuse@ipvolume.net
remarks: | We do not always reply to abuse.
remarks: | But we do take care your report is dealt with!
remarks: ±----------------------------------------------
mnt-by: IPV
created: 2019-02-08T15:42:07Z
last-modified: 2019-02-08T15:42:07Z
source: RIPE

% This query was served by the RIPE Database Query Service version 1.103 (WAGYU)

Below is a found thread about recyber:

1 Like

Hi,

ah, AS202425 is at work again.

It belongs to a known Dutch bulletproof ISP also known as “Ecatel”, “Quasi Networks”, “Novogara” and a few other names. They have been around for more than 20 years by now. See this newspaper article (accessible without JavaScript :wink: ) for some more details on them.

All networks operated or routed by this bulletproof ISP are covered by the “drop hostile” feature. One certainly does not want to process connections from and to that network (and might wonder why Dutch authorities do not take that provider down :frowning: ).

Thanks, and best regards,
Peter Müller

5 Likes