1. Forum
  2. DOVE-Net
  3. General

  • Mirai/Ecchi/Xc311/etc

    From Misfit@VERT to All on Sat Oct 22 19:43:54 2016
    Everyone notice how active their logs have recently become by bot trying to gain access as per subject? These are IoT devies that push a lot of bandwidth (PVRs and such) that are being used for DDoS.

    Curious as to the origin in other's logs as about 90 percent of the origin in mine .ru .. About to iptable Russia off.

    ---
    þ Synchronet þ Emeraldhill BBS - telnet://bbs.emeraldhill.org - http://bbs.emeraldhill.org:8080
  • From Hemo@VERT to Misfit on Sun Oct 23 10:46:29 2016
    Re: Mirai/Ecchi/Xc311/etc
    By: Misfit to All on Sat Oct 22 2016 07:43 pm


    Everyone notice how active their logs have recently become by bot trying to gain access as per subject? These are IoT devies that push a lot of bandwidth (PVRs and such) that are being used for DDoS.

    Curious as to the origin in other's logs as about 90 percent of the origin in mine .ru .. About to iptable Russia off.

    define 'recently'... my system has this pattern for multiple months now. So much so that I can measure increases is use of system resources on the firewall/ipfilter.

    It got to a point where I modified scripts to auto blacklist at the presence of the woord ot attempted login with a blacklisted name. Blacklisted IP's don't get through to the BBS any longer.

    since August 28, I've logged the number of blocked ip from reversable addresses:
    ru 119
    ar 108
    fr 39
    br 591
    co 82
    ro 59
    in 98
    cn 49
    tr 165
    gt 7
    vn 187
    mx 97
    it 45
    cl 30
    th 31
    mk 2
    py 20
    sk 2
    chinamobile 1
    non-reversable IP: 2390

    Majority of mine come from Brazil..

    I may spend more time on my script to do some lookup on the <no name> ip addresses so I can see what group they belong to..

    ... The truest wild beasts live in the most populous places.

    ---
    þ Synchronet þ - Running madly into the wind and screaming - bbs.ujoint.org
  • From Mro@VERT to Misfit on Sun Oct 23 20:39:20 2016
    Re: Mirai/Ecchi/Xc311/etc
    By: Misfit to All on Sat Oct 22 2016 07:43 pm

    Everyone notice how active their logs have recently become by bot trying to gain access as per subject? These are IoT devies that push a lot of bandwidth (PVRs and such) that are being used for DDoS.

    Curious as to the origin in other's logs as about 90 percent of the origin in mine .ru .. About to iptable Russia off.





    my domains are about 10 years old and i have noticed any huge increase.
    ---
  • From Mro@VERT to Hemo on Sun Oct 23 20:40:06 2016
    Re: Mirai/Ecchi/Xc311/etc
    By: Hemo to Misfit on Sun Oct 23 2016 10:46 am

    Majority of mine come from Brazil..


    i have been getting some lately from brazil.
    ---
    þ Synchronet þ ::: BBSES.info - free BBS services :::
  • From Mro@VERT to Misfit on Mon Oct 24 16:45:45 2016
    Re: Mirai/Ecchi/Xc311/etc
    By: Mro to Misfit on Sun Oct 23 2016 08:39 pm

    By: Misfit to All on Sat Oct 22 2016 07:43 pm

    Everyone notice how active their logs have recently become by bot trying
    to
    gain access as per subject? These are IoT devies that push a lot of bandwidth (PVRs and such) that are being used for DDoS.

    Curious as to the origin in other's logs as about 90 percent of the origin in mine .ru .. About to iptable Russia off.





    my domains are about 10 years old and i have noticed any huge increase.




    i meant to say havent. but i dont pay much attention.
    now i see stuff once in a while but it isnt crippling my system. and i dont know if it's more than usual because i dont know if i'm being tainted by people talking about it.
    ---
    þ Synchronet þ ::: BBSES.info - free BBS services :::
  • From nolageek@VERT to Misfit on Tue Oct 25 00:24:55 2016
    Re: Mirai/Ecchi/Xc311/etc
    By: Misfit to All on Sat Oct 22 2016 07:43 pm

    Everyone notice how active their logs have recently become by bot trying to gain access as per subject? These are IoT devies that push a lot of bandwidth (PVRs and such) that are being used for DDoS.
    Curious as to the origin in other's logs as about 90 percent of the origin in mine .ru .. About to iptable Russia off.

    If you're running synchronet you can add the following to text\host.can and it will block connections from hosts that resolve back to .ru:

    *.ru

    I also have the following in mine, since I was getting a lot of nasty connections from these TLD:

    *.tr
    *.br
    *.ru
    *.cn
    *.cz
    *.ro
    *.tw
    *.ua
    *.vn
    *.fr
    *.ar
    *.cl
    *kyivstar.net

    |01-|03nolageek

    ---
    þ Synchronet þ Capitol Shrill BBS - Washington, DC - capitolshrill.com
  • From Nighthawk@VERT to Hemo on Sat Nov 12 21:56:00 2016
    Hemo wrote to Misfit <=-

    Majority of mine come from Brazil..

    I may spend more time on my script to do some lookup on the <no name>
    ip addresses so I can see what group they belong to..

    This is really sad that the people from my country are doing this.

    They could use their abilities for something more interesting... I have the
    same problem here, blocked most of offending countries but I can't block Brazil... :(

    ---
    .-----________________--_ ________.--'-`--.____ Hugs from Flavio Bessa \____==================_) \_'===================' Syzo of Saturn's Orbit
    - -|__|-.______|=====/ `---' Netmail 4:801/189.1
    Live long ` ù._ _ _ _~~~~~| fcbessa@gmail.com
    and prosper... `-.__________,' Always UnionNET Addicted!


    ... UNIONNET ADDICTED! -RR-
    --- MultiMail/Darwin v0.49
    þ Synchronet þ Ninho do Abutre 2 BBS - Rio de Janeiro, Brazil