LiquidFractal Posted August 6, 2018 Posted August 6, 2018 For weeks now (I'd actually say a couple of months), my Cpanel Error log has recorded hundreds of instances from an IP address 46.229.168.*, which tries to access all sorts of weird port numbers on my VPS: 49712, 7906, 39942, 5554, 29068, 12832, 14748....you get the idea. These requests are all done twice per second, so in a given second a different IP (the last part being different) will rapidfire two attempts to access a given port. Then a different iteration of 46.229.168.* will try another port and so forth. I've blocked this IP block from my server so no harm is being done. I emailed the company who previously owned the IP block (SemRush), and they told me it was a legit search engine, which I think is BS. Now it's DataWeb, who has so far not responded to my cease and desist request. I'm not up on my lingo so I thought I'd ask: Is this an attempt at a DDoS attack, or is it a port hack attempt? Is there anything else to be done apart from reporting the IP to abuse websites? I don't even know how effective that is.
Misi Posted August 6, 2018 Posted August 6, 2018 2 hours ago, liquidfractal said: These requests are all done twice per second, so in a given second a different IP (the last part being different) will rapidfire two attempts to access a given port. Then a different iteration of 46.229.168.* will try another port and so forth. ... I'm not up on my lingo so I thought I'd ask: Is this an attempt at a DDoS attack, No, it's not a DDoS attack. DDoS attack would be when there would be an attempt to access your site not twice in a second but hundreds, thousands of time.
LiquidFractal Posted August 6, 2018 Author Posted August 6, 2018 Thanks for the replies. I assume that no search engine has any business port-scanning.
Mark H Posted August 7, 2018 Posted August 7, 2018 No, they really don't have any business port scanning like that. Here's who currently controls that x.x.x.* IP address range: Since you've blocked it, there's little more you can do. And it's "parent" range, which as you noted is DataWeb, is: If you do not have any audience in the Netherlands at all, you may wish to block the entire range of 46.229.160.1 thru 46.229.175.255. In CIDR format that would be: 46.229.160.0/20
Recommended Posts
Archived
This topic is now archived and is closed to further replies.