Here is your weekly list of top offenders for your own security reading pleasure.
Big change this week with Google EU West taking the top spot and Techoff SRV Limited, everyone’s favority Andorra-based Bulletproof Hosting Provider (despite company registration listing it as being from the UK and/or the Netherlands depending on how it is examined) taking the number 2 spot. Techoff is also the source of a number of the largest surges against the firewall this week.
Cloudflare Warp is still a major source of attacks, providing the single source of attackers hiding behind the VPN/Proxy services in this ASN.
This week was much quieter for Surge events, with most surge events originating from ASNs and CIDR blocks that already exist in the Hyperscaler or Block ASN/CIDR rule lists. Multi-IP surges completely originated from the Hyperscalers while the Block ASN/CIDR surges coming from only a small number of IPs.
A note on the difference between the firewall rulesets. The Block ASN/CIDR rulesets do exactly as advertised — completely block the traffic that reaches them. The Hyperscaler ruleset is rate-limiting and only starts to DROP traffic if the number of connections or number of requests becomes aggressive.
There is also a separate set of ratelimiting for Azure, as Microsoft doesn’t seem to have as much control on bad actors as the other Hyperscalers do.
The current rulesets are:
shield_allow → ACCEPT
shield_abuseipdb → DROP
shield_penalty → DROP
shield_azure → AZURE-RATELIMIT (3/min per IP)
shield_hyperscaler → CLOUD-RATELIMIT (10/min per /24)
shield_block → DROP
As with everything, the ordering is important. For example, if there is a really aggressive AS8075 (Microsoft) IP that has been flagged by AbuseIPDB to the extent that it appears in the top 10K list that they provide, it gets immediately blocked. If I have found an aggressive IP that appears in none of the lists, I can add it (or the approporate CIDR block) to the Penalty Box ruleset for a set period of time to discourage that traffic.
Another week of interesting learning around what is and isn’t traffic worth completely blocking. Learning that not all traffic can be blocked is one of the the twelve steps of learning to exist within the modern internet.
As a final note, the Spamhaus list of offensive IPV4 addresses (available here) was added as yet another data source that is automatically added into the firewall rules on a daily basis. I will try and provide a sense of how effective this ruleset is next week.
Leave a Reply