Large-scale ongoing RDP attack campaign and Global Layer B.V. (AS49453) decries as “fake abuse”

A little over a month ago I reported an ongoing RDP attack campaign coming from Global Layer B.V. (AS49453) and their lone upstream peer Regionalnaya Kompaniya Svyazi Ltd. (AS57028) to their abuse team.

On July 11, an unnamed Global Layer Abuse Desk representative responded:

Our customer has already been informed to take action in this matter.

However, the RDP attacks from their network continued and I followed up again on August 6, receiving the following response:

The IP in question has been blocked and customer informed.

Unfortunately this was not case and the  attacks continued to pour in, so I sent daily updates requesting comment why action had not been taken.  I even offered to help them update their firewalls to nullroute the offending customer.

Global Layer

On August 10, I received a follow-up from the Global Layer Abuse Desk:

I suggest you stop sending us fake abuses. We first of all blocked the IP in question and that vps was terminated days ago.
It’s not possible you are getting any more complaints from our network. So check again.

So I checked again and found a massive, ongoing RDP attack campaign coming from their network.  I noted the prefixes announced by AS49453 and their direct associate AS57028 and reviewed my firewall logs accordingly. I was astonished to find 2,940 RDP attacks, as of this writing.

IP  address RDP attacks logged 1123 368 308 134 131 128 118 101 95 69 59 53 40 33 26 18 15 14 13 13 11 11 9 8 7 7 7 5 4 2 2 2 1 1 1 1 1 1

The raw data with timestamps is available here.  Note that a very small percentage of the  attacks were also SSH and are included above.

So how many times has this “fake” abuse been logged on AbuseIPDB?

EDIT:  Due to a “Data Loss Incident” at AbuseIPDB on 08/08/2017, the reported totals below won’t match the current total reports.  The totals below were noted from before the incident occurred.

AbuseIPDB report URL AbuseIPDB total reports 325 196 189 112 102 163 3 217 18 97 41 28 29 79 34 12 0 67 32 40 22 2 10 12 102 126 3 12 5 3 5 1 14 2 3 0 92 39

Based on the reports above, I feel it’s safe to conclude this network abuse is very real. How long will AS49453’s BGP peers let this abuse continue unabated?

3 thoughts on “Large-scale ongoing RDP attack campaign and Global Layer B.V. (AS49453) decries as “fake abuse””

  1. Over the past 6 months I’ve been running two separate honeypots from a DigitalOcean data-center in the Netherlands. Global Layer IP addresses make up over 55% of all attacks on my honeypots. They’re outperforming Russia and China in attacking our nation. Had to tighten my log rotation just because of the sheer number of attacks from their network.

    They do always respond though and the attacks stop for a few hours after e-mailing them. Yet pick up every night, almost like they’re aware the admin is asleep in that country at that time.

    Some remarkable behavior:

    – I moved IP’s, their network just followed to the new HoneyPot in a completely different IP block. Within 15 minutes.

    – The attacks stop withing 30 minutes of e-mailing them.. Now for conversion time between me emailing them , them contacting a client AND that client taking action, I’d expect a bit more time to pass… It’s almost like the person doing the scanning also gets those emails.

    – And yes they’ve also hinted that this might be “fake abuse”, sentences like ” well anybody can make a list like that” have also been thrown my way.

    For now though, this is an interesting provider to sinkhole and log. If they’re really trying to resolve this I’m happy to help, if not, I’m happy to have fun with this. If anyone wants to discus this or join in on the sinkholing, let me know!


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: