A little over a month ago I reported an ongoing RDP attack campaign coming from Global Layer B.V. (AS49453) and their lone upstream peer Regionalnaya Kompaniya Svyazi Ltd. (AS57028) to their abuse team.
On July 11, an unnamed Global Layer Abuse Desk representative responded:
Our customer has already been informed to take action in this matter.
However, the RDP attacks from their network continued and I followed up again on August 6, receiving the following response:
The IP in question has been blocked and customer informed.
Unfortunately this was not case and the attacks continued to pour in, so I sent daily updates requesting comment why action had not been taken. I even offered to help them update their firewalls to nullroute the offending customer.
On August 10, I received a follow-up from the Global Layer Abuse Desk:
I suggest you stop sending us fake abuses. We first of all blocked the IP in question and that vps was terminated days ago.
It’s not possible you are getting any more complaints from our network. So check again.
So I checked again and found a massive, ongoing RDP attack campaign coming from their network. I noted the prefixes announced by AS49453 and their direct associate AS57028 and reviewed my firewall logs accordingly. I was astonished to find 2,940 RDP attacks, as of this writing.
| IP address | RDP attacks logged |
| 91.230.47.37 | 1123 |
| 91.195.103.102 | 368 |
| 91.195.103.85 | 308 |
| 91.195.103.84 | 134 |
| 91.230.47.41 | 131 |
| 91.195.103.164 | 128 |
| 91.230.47.44 | 118 |
| 91.230.47.39 | 101 |
| 91.230.47.10 | 95 |
| 91.195.103.157 | 69 |
| 91.195.103.101 | 59 |
| 91.195.103.250 | 53 |
| 91.195.103.86 | 40 |
| 91.195.103.171 | 33 |
| 91.195.103.149 | 26 |
| 91.230.47.4 | 18 |
| 91.195.103.167 | 15 |
| 91.195.103.170 | 14 |
| 91.195.103.100 | 13 |
| 91.195.103.168 | 13 |
| 91.195.103.154 | 11 |
| 91.195.103.172 | 11 |
| 91.195.103.169 | 9 |
| 91.230.47.6 | 8 |
| 91.195.103.173 | 7 |
| 91.195.103.4 | 7 |
| 91.195.103.92 | 7 |
| 91.195.103.36 | 5 |
| 91.195.103.37 | 4 |
| 91.195.103.152 | 2 |
| 91.195.103.22 | 2 |
| 91.195.103.98 | 2 |
| 91.195.103.165 | 1 |
| 91.195.103.50 | 1 |
| 91.195.103.68 | 1 |
| 91.195.103.99 | 1 |
| 91.230.47.3 | 1 |
| 91.230.47.40 | 1 |
The raw data with timestamps is available here. Note that a very small percentage of the attacks were also SSH and are included above.
So how many times has this “fake” abuse been logged on AbuseIPDB?
EDIT: Due to a “Data Loss Incident” at AbuseIPDB on 08/08/2017, the reported totals below won’t match the current total reports. The totals below were noted from before the incident occurred.
| AbuseIPDB report URL | AbuseIPDB total reports |
| 91.230.47.37 | 325 |
| 91.195.103.102 | 196 |
| 91.195.103.85 | 189 |
| 91.195.103.84 | 112 |
| 91.230.47.41 | 102 |
| 91.195.103.164 | 163 |
| 91.230.47.44 | 3 |
| 91.230.47.39 | 217 |
| 91.230.47.10 | 18 |
| 91.195.103.157 | 97 |
| 91.195.103.101 | 41 |
| 91.195.103.250 | 28 |
| 91.195.103.86 | 29 |
| 91.195.103.171 | 79 |
| 91.195.103.149 | 34 |
| 91.230.47.4 | 12 |
| 91.195.103.167 | 0 |
| 91.195.103.170 | 67 |
| 91.195.103.100 | 32 |
| 91.195.103.168 | 40 |
| 91.195.103.154 | 22 |
| 91.195.103.172 | 2 |
| 91.195.103.169 | 10 |
| 91.230.47.6 | 12 |
| 91.195.103.173 | 102 |
| 91.195.103.4 | 126 |
| 91.195.103.92 | 3 |
| 91.195.103.36 | 12 |
| 91.195.103.37 | 5 |
| 91.195.103.152 | 3 |
| 91.195.103.22 | 5 |
| 91.195.103.98 | 1 |
| 91.195.103.165 | 14 |
| 91.195.103.50 | 2 |
| 91.195.103.68 | 3 |
| 91.195.103.99 | 0 |
| 91.230.47.3 | 92 |
| 91.230.47.40 | 39 |
Based on the reports above, I feel it’s safe to conclude this network abuse is very real. How long will AS49453’s BGP peers let this abuse continue unabated?
I can tell you they hosting several spam and fake review website like http://anzmi.net they don’t have a real abuse support.
Over the past 6 months I’ve been running two separate honeypots from a DigitalOcean data-center in the Netherlands. Global Layer IP addresses make up over 55% of all attacks on my honeypots. They’re outperforming Russia and China in attacking our nation. Had to tighten my log rotation just because of the sheer number of attacks from their network.
They do always respond though and the attacks stop for a few hours after e-mailing them. Yet pick up every night, almost like they’re aware the admin is asleep in that country at that time.
Some remarkable behavior:
– I moved IP’s, their network just followed to the new HoneyPot in a completely different IP block. Within 15 minutes.
– The attacks stop withing 30 minutes of e-mailing them.. Now for conversion time between me emailing them , them contacting a client AND that client taking action, I’d expect a bit more time to pass… It’s almost like the person doing the scanning also gets those emails.
– And yes they’ve also hinted that this might be “fake abuse”, sentences like ” well anybody can make a list like that” have also been thrown my way.
For now though, this is an interesting provider to sinkhole and log. If they’re really trying to resolve this I’m happy to help, if not, I’m happy to have fun with this. If anyone wants to discus this or join in on the sinkholing, let me know! frank@frank.today