A little over a month ago I reported an ongoing RDP attack campaign coming from Global Layer B.V. (AS49453) and their lone upstream peer Regionalnaya Kompaniya Svyazi Ltd. (AS57028) to their abuse team.
On July 11, an unnamed Global Layer Abuse Desk representative responded:
Our customer has already been informed to take action in this matter.
However, the RDP attacks from their network continued and I followed up again on August 6, receiving the following response:
The IP in question has been blocked and customer informed.
Unfortunately this was not case and the attacks continued to pour in, so I sent daily updates requesting comment why action had not been taken. I even offered to help them update their firewalls to nullroute the offending customer.
On August 10, I received a follow-up from the Global Layer Abuse Desk:
I suggest you stop sending us fake abuses. We first of all blocked the IP in question and that vps was terminated days ago.
It’s not possible you are getting any more complaints from our network. So check again.
So I checked again and found a massive, ongoing RDP attack campaign coming from their network. I noted the prefixes announced by AS49453 and their direct associate AS57028 and reviewed my firewall logs accordingly. I was astonished to find 2,940 RDP attacks, as of this writing.
| IP address | RDP attacks logged |
| 91.230.47.37 | 1123 |
| 91.195.103.102 | 368 |
| 91.195.103.85 | 308 |
| 91.195.103.84 | 134 |
| 91.230.47.41 | 131 |
| 91.195.103.164 | 128 |
| 91.230.47.44 | 118 |
| 91.230.47.39 | 101 |
| 91.230.47.10 | 95 |
| 91.195.103.157 | 69 |
| 91.195.103.101 | 59 |
| 91.195.103.250 | 53 |
| 91.195.103.86 | 40 |
| 91.195.103.171 | 33 |
| 91.195.103.149 | 26 |
| 91.230.47.4 | 18 |
| 91.195.103.167 | 15 |
| 91.195.103.170 | 14 |
| 91.195.103.100 | 13 |
| 91.195.103.168 | 13 |
| 91.195.103.154 | 11 |
| 91.195.103.172 | 11 |
| 91.195.103.169 | 9 |
| 91.230.47.6 | 8 |
| 91.195.103.173 | 7 |
| 91.195.103.4 | 7 |
| 91.195.103.92 | 7 |
| 91.195.103.36 | 5 |
| 91.195.103.37 | 4 |
| 91.195.103.152 | 2 |
| 91.195.103.22 | 2 |
| 91.195.103.98 | 2 |
| 91.195.103.165 | 1 |
| 91.195.103.50 | 1 |
| 91.195.103.68 | 1 |
| 91.195.103.99 | 1 |
| 91.230.47.3 | 1 |
| 91.230.47.40 | 1 |
The raw data with timestamps is available here. Note that a very small percentage of the attacks were also SSH and are included above.
So how many times has this “fake” abuse been logged on AbuseIPDB?
EDIT: Due to a “Data Loss Incident” at AbuseIPDB on 08/08/2017, the reported totals below won’t match the current total reports. The totals below were noted from before the incident occurred.
| AbuseIPDB report URL | AbuseIPDB total reports |
| 91.230.47.37 | 325 |
| 91.195.103.102 | 196 |
| 91.195.103.85 | 189 |
| 91.195.103.84 | 112 |
| 91.230.47.41 | 102 |
| 91.195.103.164 | 163 |
| 91.230.47.44 | 3 |
| 91.230.47.39 | 217 |
| 91.230.47.10 | 18 |
| 91.195.103.157 | 97 |
| 91.195.103.101 | 41 |
| 91.195.103.250 | 28 |
| 91.195.103.86 | 29 |
| 91.195.103.171 | 79 |
| 91.195.103.149 | 34 |
| 91.230.47.4 | 12 |
| 91.195.103.167 | 0 |
| 91.195.103.170 | 67 |
| 91.195.103.100 | 32 |
| 91.195.103.168 | 40 |
| 91.195.103.154 | 22 |
| 91.195.103.172 | 2 |
| 91.195.103.169 | 10 |
| 91.230.47.6 | 12 |
| 91.195.103.173 | 102 |
| 91.195.103.4 | 126 |
| 91.195.103.92 | 3 |
| 91.195.103.36 | 12 |
| 91.195.103.37 | 5 |
| 91.195.103.152 | 3 |
| 91.195.103.22 | 5 |
| 91.195.103.98 | 1 |
| 91.195.103.165 | 14 |
| 91.195.103.50 | 2 |
| 91.195.103.68 | 3 |
| 91.195.103.99 | 0 |
| 91.230.47.3 | 92 |
| 91.230.47.40 | 39 |
Based on the reports above, I feel it’s safe to conclude this network abuse is very real. How long will AS49453’s BGP peers let this abuse continue unabated?
One Reply to “Large-scale ongoing RDP attack campaign and Global Layer B.V. (AS49453) decries as “fake abuse””