OVH Community, your new community space.

Scans


edwards
13-06-2008, 14:39
I use nmap scanner for education purposes. You guys better block incoming, not outgoing.

Andy
12-06-2008, 23:45
Good morning,
We are in the process of significantly improving the detection of scan
from our network and to our network. We repeating
currently the 1st party: the traffic analysis. We are looking
in the logs of our routers, which are packets of scans, attacks
or behaviour hackés servers. The 2nd part will be reviewed
just after the detection with the probes in the network. We
'll reforcer the system with the number of probe and depth
Research scans and attacks.

Currently, it detects about 200-250 scans per day with the system
present. We will be able to detect approximately 300-400 new scans
with the 1st party and 400-500 more with the 2nd party.

Here is an example of what detects with the new soft looking
logs routers. Starting from tomorrow or Monday, the IP will be blocked
automatically on our routers for 24 hours. If a scan share
servers hosted by Ovh, the server will automatically set
rescue (as now) and an email sent to the server administrator
(as now).

Yours
Octave

attack_susp_TCP from: [213.58.61.116]
attack_susp_TCP from: [77,111,133,110 | ip-133-110-userpool .... ]
attack_susp_TCP from: [77,111,148,125 | ip-148-125-userpool .... ]
attack_susp_TCP from: [77,111,152,214 | ip-152-214-userpool .... ]
attack_susp_TCP from: [87,168,104,135 | p57A86887.dip.t-dial ... ]
attack_susp_TCP from: [87.98.15.70 | 87-98-15-70.tln.norb ... ]
attack_susp_TCP from: [91.121.99.210 | pptp1.linkideo.com]
attack_susp_TCP from: [91.22.70.125 | p5B16467D.dip.t-dial ... ]
attack_susp_TCP from: [91.94.74.201 | public-gprs51763.cen ... ]
scan_net_TCP from: [193.19.165.62 | 193.19.165.62.osk.en. .. ]
scan_net_TCP from: [194,105,102,247 | 194.105.102.247.stat ... ]
scan_net_TCP from: [194.105.96.128 | 194.105.96.128.stati ... ]
scan_net_TCP from: [194.44.183.5 | lankeeper.donntu.edu.ua]
scan_net_TCP from: [195,218,214,135 | adsl-pppoe-0643.comc ... ]
scan_net_TCP from: [195.93.160.5 | ns1.pl.telesvit.com.ua]
scan_net_TCP from: [213.186.39.23 | ns3551.ovh.net]
scan_net_TCP from: [213.58.61.116]
scan_net_TCP from: [217.6.148.246 | virtual-3.solution-s ... ]
scan_net_TCP from: [69.80.249.139 | hosted.by.alphared.com]
scan_net_TCP from: [75,135,156,238 | 75-135-156-238.dhcp .... ]
scan_net_TCP from: [77,111,133,110 | ip-133-110-userpool .... ]
scan_net_TCP from: [77,111,148,125 | ip-148-125-userpool .... ]
scan_net_TCP from: [77,111,152,214 | ip-152-214-userpool .... ]
scan_net_TCP from: [77,111,154,227 | ip-154-227-userpool .... ]
scan_net_TCP from: [77.111.79.19 | 4d6f4f13.adsl.entern ... ]
scan_net_TCP from: [87,168,104,135 | p57A86887.dip.t-dial ... ]
scan_net_TCP from: [87,205,218,144 | 87-205-218-144.adsl .... ]
scan_net_TCP from: [87.226.100.4]
scan_net_TCP from: [87.98.15.70 | 87-98-15-70.tln.norb ... ]
scan_net_TCP from: [89.19.4.74 | 89-19-4-74.cizgibilg ... ]
scan_net_TCP from: [91.0.235.50 | p5B00EB32.dip.t-dial ... ]
scan_net_TCP from [91.0.241.214 | p5B00F1D6.dip.t-dial ... ]
scan_net_TCP from: [91.11.58.173 | p5B0B3AAD.dip.t-dial ... ]
scan_net_TCP from: [91,121,149,197 | ks358409.kimsufi.com]
scan_net_TCP from: [91,121,150,125 | ks357982.kimsufi.com]
scan_net_TCP from: [91.121.28.178 | ns25083.ovh.net]
scan_net_TCP from: [91.121.7.211 | tor1.humanistische-u ... ]
scan_net_TCP from: [91.121.74.162 | ns25715.ovh.net]
scan_net_TCP from: [91.121.91.78 | ns28088.ovh.net]
scan_net_TCP from: [91.121.99.210 | pptp1.linkideo.com]
scan_net_TCP from [91.1.228.250 | p5B01E4FA.dip.t-dial ... ]
scan_net_TCP from: [91.12.95.218 | p5B0C5FDA.dip.t-dial ... ]
scan_net_TCP from: [91.134.6.28 | 91-134-6-28.slivnica ... ]
scan_net_TCP from: [91.13.74.131 | p5B0D4A83.dip.t-dial ... ]
scan_net_TCP from: [91.139.170.49]
scan_net_TCP from: [91.14.77.81 | p5B0E4D51.dip.t-dial ... ]
scan_net_TCP from: [91,149,121,110]
scan_net_TCP from: [91,164,101,212 | dyn-91-164-101-212.p ... ]
scan_net_TCP from: [91.16.57.190 | p5B1039BE.dip.t-dial ... ]
scan_net_TCP from: [91.17.120.181 | p5B1178B5.dip.t-dial ... ]
scan_net_TCP from: [91,172,215,129 | dyn-91-172-215-129.p ... ]
scan_net_TCP from: [91.18.114.138 | p5B12728A.dip.t-dial ... ]
scan_net_TCP from: [91.18.231.16 | p5B12E710.dip.t-dial ... ]
scan_net_TCP from: [91.193.86.126 | smrw-91-193-86-126.s ... ]
scan_net_TCP from: [91.203.17.21]
scan_net_TCP from: [91.2.186.52 | p5B02BA34.dip.t-dial ... ]
scan_net_TCP from: [91.22.111.23 | p5B166F17.dip.t-dial ... ]
scan_net_TCP from: [91.22.70.125 | p5B16467D.dip.t-dial ... ]
scan_net_TCP from [91.3.120.192 | p5B0378C0.dip.t-dial ... ]
scan_net_TCP from: [91.33.70.17 | p5B214611.dip.t-dial ... ]
scan_net_TCP from: [91.34.201.202 | p5B22C9CA.dip.t-dial ... ]
scan_net_TCP from: [91.34.230.84 | p5B22E654.dip.t-dial ... ]
scan_net_TCP from: [91.36.106.27 | p5B246A1B.dip.t-dial ... ]
scan_net_TCP from: [91.37.109.122 | p5B256D7A.dip.t-dial ... ]
scan_net_TCP from: [91.37.192.45 | p5B25C02D.dip.t-dial ... ]
scan_net_TCP from: [91.41.233.53 | p5B29E935.dip.t-dial ... ]
scan_net_TCP from: [91.42.127.98 | p5B2A7F62.dip.t-dial ... ]
scan_net_TCP from: [91.42.97.213 | p5B2A61D5.dip.t-dial ... ]
scan_net_TCP from: [91.45.234.9 | p5B2DEA09.dip.t-dial ... ]
scan_net_TCP from: [91.46.194.174 | p5B2EC2AE.dip.t-dial ... ]
scan_net_TCP from: [91.48.234.49 | p5B30EA31.dip.t-dial ... ]
scan_net_TCP from: [91.50.57.198 | p5B3239C6.dip.t-dial ... ]
scan_net_TCP from [91.5.208.232 | p5B05D0E8.dip.t-dial ... ]
scan_net_TCP from: [91.54.90.176 | p5B365AB0.dip.t-dial ... ]
scan_net_TCP from: [91.54.98.168 | p5B3662A8.dip.t-dial ... ]
scan_net_TCP from: [91.57.205.249 | p5B39CDF9.dip.t-dial ... ]
scan_net_TCP from: [91.66.248.12]
scan_net_TCP from: [91.6.9.56 | p5B060938.dip.t-dial ... ]
scan_net_TCP from: [91.8.255.10 | p5B08FF0A.dip.t-dial ... ]
scan_net_TCP from: [91.89.183.143 | HSI-KBW-091-089-183-... ]
scan_net_TCP from: [91.94.74.201 | public-gprs51763.cen ... ]
udp_to_80 to: [91.121.47.247 | 91-121-47-247.ovh.net]
worm_sql_slammer from: [166.111.86.244 | tu086244.ip.tsinghua ... ]
worm_sql_slammer from: [62.168.11.75]

oles@ovh.net
12-06-2008, 23:44
Hello,


We are significantly improving the detection of the scans to and from our network. We are currently doing the 1st part again: traffic analysis. We are currently looking at the logs of our routers, the packets that are scans and the attacks or behaviour of hacked servers. The 2nd part will be reviewed just after: the detection with the probe in the network. We'll
re-enforce the system with a number of probes and depth research of scans and attacks.

We are currently detect about 200-250 scans a day with the current system. We are going to detect about 300-400 new scans with the 1st part and 400-500 more with the 2nd part.

Here is an example of what we detect with the new software that looks at the logs of the routers. From Friday or Monday, the following IPs will be automatically blocked on our routers for 24 hours. If a scan comes from a server hosted at OVH, the server will be automatically set into rescue mode and an email will be sent to the administrator of the server (like now).


Regards,

Octave

attack_susp_TCP from: [ 213.58.61.116 ]
attack_susp_TCP from: [ 77.111.133.110 | ip-133-110-userpool.... ]
attack_susp_TCP from: [ 77.111.148.125 | ip-148-125-userpool.... ]
attack_susp_TCP from: [ 77.111.152.214 | ip-152-214-userpool.... ]
attack_susp_TCP from: [ 87.168.104.135 | p57A86887.dip.t-dial... ]
attack_susp_TCP from: [ 87.98.15.70 | 87-98-15-70.tln.norb... ]
attack_susp_TCP from: [ 91.121.99.210 | pptp1.linkideo.com ]
attack_susp_TCP from: [ 91.22.70.125 | p5B16467D.dip.t-dial... ]
attack_susp_TCP from: [ 91.94.74.201 | public-gprs51763.cen... ]
scan_net_TCP from: [ 193.19.165.62 | 193.19.165.62.osk.en... ]
scan_net_TCP from: [ 194.105.102.247 | 194.105.102.247.stat... ]
scan_net_TCP from: [ 194.105.96.128 | 194.105.96.128.stati... ]
scan_net_TCP from: [ 194.44.183.5 | lankeeper.donntu.edu.ua ]
scan_net_TCP from: [ 195.218.214.135 | adsl-pppoe-0643.comc... ]
scan_net_TCP from: [ 195.93.160.5 | ns1.pl.telesvit.com.ua ]
scan_net_TCP from: [ 213.186.39.23 | ns3551.ovh.net ]
scan_net_TCP from: [ 213.58.61.116 ]
scan_net_TCP from: [ 217.6.148.246 | virtual-3.solution-s... ]
scan_net_TCP from: [ 69.80.249.139 | hosted.by.alphared.com ]
scan_net_TCP from: [ 75.135.156.238 | 75-135-156-238.dhcp.... ]
scan_net_TCP from: [ 77.111.133.110 | ip-133-110-userpool.... ]
scan_net_TCP from: [ 77.111.148.125 | ip-148-125-userpool.... ]
scan_net_TCP from: [ 77.111.152.214 | ip-152-214-userpool.... ]
scan_net_TCP from: [ 77.111.154.227 | ip-154-227-userpool.... ]
scan_net_TCP from: [ 77.111.79.19 | 4d6f4f13.adsl.entern... ]
scan_net_TCP from: [ 87.168.104.135 | p57A86887.dip.t-dial... ]
scan_net_TCP from: [ 87.205.218.144 | 87-205-218-144.adsl.... ]
scan_net_TCP from: [ 87.226.100.4 ]
scan_net_TCP from: [ 87.98.15.70 | 87-98-15-70.tln.norb... ]
scan_net_TCP from: [ 89.19.4.74 | 89-19-4-74.cizgibilg... ]
scan_net_TCP from: [ 91.0.235.50 | p5B00EB32.dip.t-dial... ]
scan_net_TCP from: [ 91.0.241.214 | p5B00F1D6.dip.t-dial... ]
scan_net_TCP from: [ 91.11.58.173 | p5B0B3AAD.dip.t-dial... ]
scan_net_TCP from: [ 91.121.149.197 | ks358409.kimsufi.com ]
scan_net_TCP from: [ 91.121.150.125 | ks357982.kimsufi.com ]
scan_net_TCP from: [ 91.121.28.178 | ns25083.ovh.net ]
scan_net_TCP from: [ 91.121.7.211 | tor1.humanistische-u... ]
scan_net_TCP from: [ 91.121.74.162 | ns25715.ovh.net ]
scan_net_TCP from: [ 91.121.91.78 | ns28088.ovh.net ]
scan_net_TCP from: [ 91.121.99.210 | pptp1.linkideo.com ]
scan_net_TCP from: [ 91.1.228.250 | p5B01E4FA.dip.t-dial... ]
scan_net_TCP from: [ 91.12.95.218 | p5B0C5FDA.dip.t-dial... ]
scan_net_TCP from: [ 91.134.6.28 | 91-134-6-28.slivnica... ]
scan_net_TCP from: [ 91.13.74.131 | p5B0D4A83.dip.t-dial... ]
scan_net_TCP from: [ 91.139.170.49 ]
scan_net_TCP from: [ 91.14.77.81 | p5B0E4D51.dip.t-dial... ]
scan_net_TCP from: [ 91.149.121.110 ]
scan_net_TCP from: [ 91.164.101.212 | dyn-91-164-101-212.p... ]
scan_net_TCP from: [ 91.16.57.190 | p5B1039BE.dip.t-dial... ]
scan_net_TCP from: [ 91.17.120.181 | p5B1178B5.dip.t-dial... ]
scan_net_TCP from: [ 91.172.215.129 | dyn-91-172-215-129.p... ]
scan_net_TCP from: [ 91.18.114.138 | p5B12728A.dip.t-dial... ]
scan_net_TCP from: [ 91.18.231.16 | p5B12E710.dip.t-dial... ]
scan_net_TCP from: [ 91.193.86.126 | smrw-91-193-86-126.s... ]
scan_net_TCP from: [ 91.203.17.21 ]
scan_net_TCP from: [ 91.2.186.52 | p5B02BA34.dip.t-dial... ]
scan_net_TCP from: [ 91.22.111.23 | p5B166F17.dip.t-dial... ]
scan_net_TCP from: [ 91.22.70.125 | p5B16467D.dip.t-dial... ]
scan_net_TCP from: [ 91.3.120.192 | p5B0378C0.dip.t-dial... ]
scan_net_TCP from: [ 91.33.70.17 | p5B214611.dip.t-dial... ]
scan_net_TCP from: [ 91.34.201.202 | p5B22C9CA.dip.t-dial... ]
scan_net_TCP from: [ 91.34.230.84 | p5B22E654.dip.t-dial... ]
scan_net_TCP from: [ 91.36.106.27 | p5B246A1B.dip.t-dial... ]
scan_net_TCP from: [ 91.37.109.122 | p5B256D7A.dip.t-dial... ]
scan_net_TCP from: [ 91.37.192.45 | p5B25C02D.dip.t-dial... ]
scan_net_TCP from: [ 91.41.233.53 | p5B29E935.dip.t-dial... ]
scan_net_TCP from: [ 91.42.127.98 | p5B2A7F62.dip.t-dial... ]
scan_net_TCP from: [ 91.42.97.213 | p5B2A61D5.dip.t-dial... ]
scan_net_TCP from: [ 91.45.234.9 | p5B2DEA09.dip.t-dial... ]
scan_net_TCP from: [ 91.46.194.174 | p5B2EC2AE.dip.t-dial... ]
scan_net_TCP from: [ 91.48.234.49 | p5B30EA31.dip.t-dial... ]
scan_net_TCP from: [ 91.50.57.198 | p5B3239C6.dip.t-dial... ]
scan_net_TCP from: [ 91.5.208.232 | p5B05D0E8.dip.t-dial... ]
scan_net_TCP from: [ 91.54.90.176 | p5B365AB0.dip.t-dial... ]
scan_net_TCP from: [ 91.54.98.168 | p5B3662A8.dip.t-dial... ]
scan_net_TCP from: [ 91.57.205.249 | p5B39CDF9.dip.t-dial... ]
scan_net_TCP from: [ 91.66.248.12 ]
scan_net_TCP from: [ 91.6.9.56 | p5B060938.dip.t-dial... ]
scan_net_TCP from: [ 91.8.255.10 | p5B08FF0A.dip.t-dial... ]
scan_net_TCP from: [ 91.89.183.143 | HSI-KBW-091-089-183-... ]
scan_net_TCP from: [ 91.94.74.201 | public-gprs51763.cen... ]
udp_to_80 to: [91.121.47.247|91-121-47-247.ovh.net]
worm_sql_slammer from: [ 166.111.86.244 | tu086244.ip.tsinghua... ]
worm_sql_slammer from: [ 62.168.11.75 ]