Another day, another RDP attack, and an ISP that takes swift action

Recently I noticed numerous Remote Desktop Protocol (RDP) attacks originating from IP address 91.197.234.22. RDP attacks are nothing new, especially after a recent report of RDP Brute-Force Attacks Spreading Crysis Ransomware. However, an ISP that takes swift action against these type of attacks is not so common.

Remote Desktop Protocol

A WHOIS lookup for 91.197.234.22 on DomainTools.com notes the abuse contact as “noc@planet-telecom.eu” and provides the full contact information:

organisation:   ORG-PTL7-RIPE
org-name:       Planet Telecom Ltd.
org-type:       OTHER
address:        Sokolovska 395, 186 00 Praha 8, Prague, Czech Republic
e-mail:         noc@planet-telecom.eu
abuse-c:        PTN21-RIPE
mnt-ref:        MNT-PLANET-TELECOM
mnt-by:         MNT-PLANET-TELECOM
created:        2007-09-15T14:57:20Z
last-modified:  2016-03-23T09:42:12Z
source:         RIPE

I contacted noc@planet-telecom.eu about the incoming RDP attacks however did not receive any response. I tried to find alternative contact records on their website, http://planet-telecom.eu/.  To my dismay I found only a fake website that only leads to a WordPress Theme sales website: https://themeforest.net/item/total-responsive-multipurpose-wordpress-theme/6339019?ref=wpexplorer

Due to this, I escalated my request to the route maintainer (holder of the parent IP block) which is 3W Infra B.V. based in Amsterdam.  While I waited for their response, I also contacted their transit provider, Fusix Networks. I received a response from Niels Raijer, owner and chief architect at Fusix.

Neils stated:

We provide transit to Dedicolo/3W Infra and as such will not block the traffic, that would create a nasty precedent. As their transit provider we do use strict BCP38 filtering on their uplink in order to make spoofing impossible, however I understand well that the case you write about is amazingly enough not involving any spoofing.

Shortly thereafter, I received a response from 3W Infra’s CEO, Murat Bayhan:

As you might know and saw our press releases on the internet, due to rapid growth we are busy with huge migration that involves 4000 servers to move from shared dc hall to a private suite. Therefore all of our engineers are busy with this task including abuse department engineers – we do not have a lot of abuse therefore it is not really monitored daily.

My apologies for delay on your report.

We have informed our client for this and please let me know 72h later if you still experience this.

The attacks didn’t cease however and I followed up with Murat who contacted his reseller again.

Six hours later, I received another follow up from Murat:

We have null-routed the ip at our end.

This is a prime example where an ISP,  3W Infra, takes abuse complaints seriously and remediates the issue quickly.

Leave a Reply