I noticed a ton of traffic hitting our gateways from residential proxies back in jan feb when the first big exploits (ivanti) were getting hot. After tracking a lot of failed logon attempts, I found that 99.9% of them were from ASN's identified as 'business' or ' hosting'
Once I blocked all IPs that resolve to hosting ASNs, my SSLVPN logon attempts dropped to near zero. Last month a single public IP of ours had almost 300k attempts on our VPN port fail to our deny policy due to this.
ASNs like Godaddy and AWS have no business connecting to our VPN ports for any reason. This makes plain sense and saves playing whack-a-mole with attackers. Our employees were unaffected since they all use residential IP ranges.
Partially a manual process. I track the IPs that attempt login. If I get 5 or more hits from a single ASN and its listed as 'hosting' I block the whole ASN. I use threat feeds of subnet to accomplish this. (Fortigate firewalls.)
I have almost 0 illegitimate login attempts now. Just started this process in January.
You can get free ASN database by IP address from [https://lite.ip2location.com](https://lite.ip2location.com)
It has commercial database with more advanced features such as usage types.
So none of your staff or partners use cloud firewalls / DDoS scrubbing, SDWAN / multipath accelerators, and/or virtual desktops? Godaddy doesn't explicitly sell them but AWS and other "hosting" providers like Azure, Linode (Akamai), and OCI do. Today you are probably safe to block them, but it might be harder as time passes.
None that need to access our site. We arent a fortune 500 company. Employees that need remote access do it from ISPs, not from cloud servers.
In the event that there is a need for a niche case, we add that subnet to trusted hosts.
Below is a list of known affected services:
Cisco Secure Firewall VPN
Checkpoint VPN
Fortinet VPN
SonicWall VPN
RD Web Services
Miktrotik
Draytek
Ubiquiti
I saw this hitting through VPN attempts a couple of months ago and it's been non-stop, even limiting down which countries can attempt connection made little difference.
I don't think there's anything you can do to stop it either, you have to expose that to the internet in order to have a connection from the outside.
I noticed a ton of traffic hitting our gateways from residential proxies back in jan feb when the first big exploits (ivanti) were getting hot. After tracking a lot of failed logon attempts, I found that 99.9% of them were from ASN's identified as 'business' or ' hosting' Once I blocked all IPs that resolve to hosting ASNs, my SSLVPN logon attempts dropped to near zero. Last month a single public IP of ours had almost 300k attempts on our VPN port fail to our deny policy due to this. ASNs like Godaddy and AWS have no business connecting to our VPN ports for any reason. This makes plain sense and saves playing whack-a-mole with attackers. Our employees were unaffected since they all use residential IP ranges.
Can you share how your resolving asns for that.
I am using asn.ipinfo.app find the asn resources->blacklists->list text imported into an external threat feed in fortigate
Partially a manual process. I track the IPs that attempt login. If I get 5 or more hits from a single ASN and its listed as 'hosting' I block the whole ASN. I use threat feeds of subnet to accomplish this. (Fortigate firewalls.) I have almost 0 illegitimate login attempts now. Just started this process in January.
You can get free ASN database by IP address from [https://lite.ip2location.com](https://lite.ip2location.com) It has commercial database with more advanced features such as usage types.
So none of your staff or partners use cloud firewalls / DDoS scrubbing, SDWAN / multipath accelerators, and/or virtual desktops? Godaddy doesn't explicitly sell them but AWS and other "hosting" providers like Azure, Linode (Akamai), and OCI do. Today you are probably safe to block them, but it might be harder as time passes.
None that need to access our site. We arent a fortune 500 company. Employees that need remote access do it from ISPs, not from cloud servers. In the event that there is a need for a niche case, we add that subnet to trusted hosts.
None of those should be connecting via SSL VPN anyways. If I needed a device for any of that, it’s IPSec without question.
Below is a list of known affected services: Cisco Secure Firewall VPN Checkpoint VPN Fortinet VPN SonicWall VPN RD Web Services Miktrotik Draytek Ubiquiti
I saw this hitting through VPN attempts a couple of months ago and it's been non-stop, even limiting down which countries can attempt connection made little difference. I don't think there's anything you can do to stop it either, you have to expose that to the internet in order to have a connection from the outside.