1

Currently there is some wierd traffic on a HTTP server from lots of different IPs. I tried checking against known TOR exit nodes, but there were no matches.

They tend to be from countries in South America and Africa. However, none of the IPs are the same. So I'm not sure how the attacker is able to use so many different IPs, each IP only one time.

Does anyone know how an attacker might be able to get "single use IPs"? Perhaps they are from some sort of rented botnet? If so, is there an easy way I can check these IPs against a list of known threat IPs?

Any help would be greatly appreciated.

A X
  • 469
  • 4
  • 10
  • 31
  • It's most probably a botnet. Can you see in your webserver logs and `/var/log/auth.log` what they are trying to do? You should then block these requests by filtering the resp. ports etc. – digijay Sep 12 '20 at 04:58

1 Answers1

1

If you don't need traffic or have clients from this country you should block the traffic based on the country if it is possible.

Jose Perez
  • 11
  • 1
  • Thanks for the suggestion but unfortunately it's coming from a bunch of countries. Here are some of them: Chile, Congo, Egypt, Argentina, Brazil, ... it's sort of a long list unfortunately. – A X Sep 12 '20 at 21:03
  • Not a great answer – A X Dec 23 '20 at 20:03