Over the past few weeks, I’ve had some issues with my site sometimes not being available or loading very slowly. Checking on the server I could see a high number of Apache processes and a memory usage about 5GB higher than usual. Issuing a netstat I could see that there were many connections from the same IP address: 126.96.36.199.
A whois on this address shows that this IP address belongs to a hosting company in Kiev, Ukraine called BlazingFast. I first blocked this IP address using iptables:
/sbin/iptables -A INPUT -s 188.8.131.52 -j DROP
Since I have a monitoring script checking intrusion attempts and blocking IP addresses, I end up having lots of DROP rules in iptables. So once a week I clean them automatically. Usually hackers do not spend more than a week trying if they see that their traffic to my server is blocked anyway.
Here it was different. As soon as the rules where cleared, it started again with the exact same address. Of course, I immediately blocked this IP address again and sent an email to their abuse email address. But as expected never got an answer. Instead, the same thing happened again but coming from another similar IP address: 184.108.40.206. Whois shows that this address also belongs to the same Ukrainian hosting company.
So, since it was now clear that I’ll keep having problems with IP addresses belonging to this company, I decided to block all traffic coming for the IP ranges owned by them. First I checked what was their ASN on https://who.is/whois-ip/ip-address/220.127.116.11: AS60033. Then looked up their IP address blocks on https://ipinfo.io/AS60033.
Then all I had to do is use iptables to block traffic from these IP address blocks (and make sure that these rules stay in there):
/sbin/iptables -A INPUT -s 18.104.22.168/22 -j DROP /sbin/iptables -A INPUT -s 22.214.171.124/24 -j DROP /sbin/iptables -A INPUT -s 126.96.36.199/24 -j DROP /sbin/iptables -A INPUT -s 188.8.131.52/24 -j DROP /sbin/iptables -A INPUT -s 184.108.40.206/22 -j DROP /sbin/iptables -A INPUT -s 220.127.116.11/23 -j DROP /sbin/iptables -A INPUT -s 18.104.22.168/24 -j DROP /sbin/iptables -A INPUT -s 22.214.171.124/24 -j DROP /sbin/iptables -A INPUT -s 126.96.36.199/23 -j DROP /sbin/iptables -A INPUT -s 188.8.131.52/24 -j DROP /sbin/iptables -A INPUT -s 184.108.40.206/24 -j DROP /sbin/iptables -A INPUT -s 220.127.116.11/23 -j DROP /sbin/iptables -A INPUT -s 18.104.22.168/24 -j DROP /sbin/iptables -A INPUT -s 22.214.171.124/24 -j DROP /sbin/iptables -A INPUT -s 126.96.36.199/23 -j DROP /sbin/iptables -A INPUT -s 188.8.131.52/23 -j DROP /sbin/iptables -A INPUT -s 184.108.40.206/24 -j DROP /sbin/iptables -A INPUT -s 220.127.116.11/24 -j DROP
So now the load on the server is fine again and unlike the past few weeks the hosted websites are always accessible and load fast.
It’s interesting to see that BlazingFast is advertizing with the DDOS protection service on hand and actually seem to have customers performing brute force attacks from their servers on the other. If you look up their ASN on the fail2ban reporting service, you will see that a few of their IP addresses are being blocked. So I am not the only one who’s been hit by this. Maybe they should not only focus on protecting their customers from DDOS attacks but should also prevent them from performing attacks.
This post on stackexchange also shows that it’s not something new but it looks like there were already attacks originating from one of their IP addresses in May. The answers to this post will also give you some alternative solutions to block them using the Apache .htaccess file, the Cisco firewall, Nginx, a Microsoft IIS Web Server rule, netsh ADVFirewall or CSF firewall.
I know it’s more difficult to identify attacks originating from one of your IP addresses than attacks targeting your network. As a hosting company, you definitely do not want to have to many false positive and block legitimate traffic created by your customers. But I’m still pretty mad having to waste so much time taking care of this kind of things…
Update 20/07/2015: Today I’ve blocked additional IP blocks belonging to Kyivstar PJSC. Slowly I’m starting to think that I’ll have to block access to complete regions in order to be able to sleep at night without worrying…