LIVE DDOS / Port scanning from 95.211.149.134

rolion · 23-05-2018 10:22pm #1

Hello,

For the past few hours my IP address is being ported / scanned from this IP address : 95.211.149.134

Check it and it belongs to a leaseweb company based in Netherlands.

I have rechecked my firewall,created a rule to discard all and any traffic originated from that IP host.
Enabled "stealth mode" as it was disabled...hmm

Still getting alerts via email...

Powered off the equipmnt and hoped it will go away but is persistent...

Did a test with ZenMap and it has some ports opened such as 22 and 111 but dont want to go further yet...

What elese can i try,it could be someone very motivated,some automated scripts or a virus/malware scanning the web.

Any advise here ,please !?

Thanks

testicles · 25-05-2018 10:01am

This post has been deleted.

25-05-2018 3:59pm

rolion wrote: »

Did a test with ZenMap and it has some ports opened such as 22 and 111 but dont want to go further yet...

Any advise here ,please !?

Thanks

Be careful with probing remote IPs with tools, you might be breaking a law without even knowing it. A 'safer' way is to use a shady service like Shodan to find out more information about the services behind the IP.

It's only one source IP so it's not DDOS, the first D stands for Distributed. Have you captured the packets to see what exactly the requests are? Has it disrupted the service you're running behind your IP address?

Is your firewall at the in ingress point? Put the rule at the top of your rule base to drop all traffic from that IP address. Confirm the traffic is being dropped by checking the logs.

Checking the IP it doesn't appear to be a 'known' advisory but there are some public posts where others have noted scanning from this IP so it doesn't sound 'targeted'.

rolion · 28-05-2018 8:34am

Hi,

There are probing from multiple IP addresses,scannign for random ports.

I stopped doing the mapping and i add the rule to block incoming traffic but cant go IP by IP...
Looks like i'm forced to request a new IP address range from the local broadband provider if that keep going like this.

Thanks !

liamo · 28-05-2018 10:53am

If you're on the Internet you're going to get scanned.

If you've got publicly available services they will be probed.

We see this all day every day. Eastern Europe, Asia, USA, devices in the AWS space, etc. They scan, they probe, they attempt to exploit known vulnerabilities. This is part and parcel of being on the Internet.

If you change IP address (as per your suggestion) that IP address will get scanned and probed.

If you can lock down availability of those services to specific source IP addresses, then you should do it.

You should ensure that your O/S and applications are up to date with patches and are configured correctly.

If possible, you should also monitor logs (perhaps automated) for unauthorised activity.

rolion wrote: »

Hi,

There are probing from multiple IP addresses,scannign for random ports.

I stopped doing the mapping and i add the rule to block incoming traffic but cant go IP by IP...
Looks like i'm forced to request a new IP address range from the local broadband provider if that keep going like this.

Thanks !

ED E · 28-05-2018 10:55am

Normal IBR, OP posts "LIVE DDOS".

LIVE DDOS / Port scanning from 95.211.149.134

Comments