Large-scale ongoing RDP attack campaign and Global Layer B.V. (AS49453) decries as “fake abuse”

A little over a month ago I reported an ongoing RDP attack campaign coming from Global Layer B.V. (AS49453) and their lone upstream peer Regionalnaya Kompaniya Svyazi Ltd. (AS57028) to their abuse team.

On July 11, an unnamed Global Layer Abuse Desk representative responded:

Our customer has already been informed to take action in this matter.

However, the RDP attacks from their network continued and I followed up again on August 6, receiving the following response:

The IP in question has been blocked and customer informed.

Unfortunately this was not case and the  attacks continued to pour in, so I sent daily updates requesting comment why action had not been taken.  I even offered to help them update their firewalls to nullroute the offending customer.

Global Layer

On August 10, I received a follow-up from the Global Layer Abuse Desk:

I suggest you stop sending us fake abuses. We first of all blocked the IP in question and that vps was terminated days ago.
It’s not possible you are getting any more complaints from our network. So check again.

So I checked again and found a massive, ongoing RDP attack campaign coming from their network.  I noted the prefixes announced by AS49453 and their direct associate AS57028 and reviewed my firewall logs accordingly. I was astonished to find 2,940 RDP attacks, as of this writing.

IP  address RDP attacks logged
91.230.47.37 1123
91.195.103.102 368
91.195.103.85 308
91.195.103.84 134
91.230.47.41 131
91.195.103.164 128
91.230.47.44 118
91.230.47.39 101
91.230.47.10 95
91.195.103.157 69
91.195.103.101 59
91.195.103.250 53
91.195.103.86 40
91.195.103.171 33
91.195.103.149 26
91.230.47.4 18
91.195.103.167 15
91.195.103.170 14
91.195.103.100 13
91.195.103.168 13
91.195.103.154 11
91.195.103.172 11
91.195.103.169 9
91.230.47.6 8
91.195.103.173 7
91.195.103.4 7
91.195.103.92 7
91.195.103.36 5
91.195.103.37 4
91.195.103.152 2
91.195.103.22 2
91.195.103.98 2
91.195.103.165 1
91.195.103.50 1
91.195.103.68 1
91.195.103.99 1
91.230.47.3 1
91.230.47.40 1

The raw data with timestamps is available here.  Note that a very small percentage of the  attacks were also SSH and are included above.

So how many times has this “fake” abuse been logged on AbuseIPDB?

EDIT:  Due to a “Data Loss Incident” at AbuseIPDB on 08/08/2017, the reported totals below won’t match the current total reports.  The totals below were noted from before the incident occurred.

AbuseIPDB report URL AbuseIPDB total reports
91.230.47.37 325
91.195.103.102 196
91.195.103.85 189
91.195.103.84 112
91.230.47.41 102
91.195.103.164 163
91.230.47.44 3
91.230.47.39 217
91.230.47.10 18
91.195.103.157 97
91.195.103.101 41
91.195.103.250 28
91.195.103.86 29
91.195.103.171 79
91.195.103.149 34
91.230.47.4 12
91.195.103.167 0
91.195.103.170 67
91.195.103.100 32
91.195.103.168 40
91.195.103.154 22
91.195.103.172 2
91.195.103.169 10
91.230.47.6 12
91.195.103.173 102
91.195.103.4 126
91.195.103.92 3
91.195.103.36 12
91.195.103.37 5
91.195.103.152 3
91.195.103.22 5
91.195.103.98 1
91.195.103.165 14
91.195.103.50 2
91.195.103.68 3
91.195.103.99 0
91.230.47.3 92
91.230.47.40 39

Based on the reports above, I feel it’s safe to conclude this network abuse is very real. How long will AS49453’s BGP peers let this abuse continue unabated?

Leave a Reply