LiquidFractal Posted August 6, 2018 Share Posted August 6, 2018 For weeks now (I'd actually say a couple of months), my Cpanel Error log has recorded hundreds of instances from an IP address 46.229.168.*, which tries to access all sorts of weird port numbers on my VPS: 49712, 7906, 39942, 5554, 29068, 12832, 14748....you get the idea. These requests are all done twice per second, so in a given second a different IP (the last part being different) will rapidfire two attempts to access a given port. Then a different iteration of 46.229.168.* will try another port and so forth. I've blocked this IP block from my server so no harm is being done. I emailed the company who previously owned the IP block (SemRush), and they told me it was a legit search engine, which I think is BS. Now it's DataWeb, who has so far not responded to my cease and desist request. I'm not up on my lingo so I thought I'd ask: Is this an attempt at a DDoS attack, or is it a port hack attempt? Is there anything else to be done apart from reporting the IP to abuse websites? I don't even know how effective that is. Link to comment Share on other sites More sharing options...
Misi Posted August 6, 2018 Share Posted August 6, 2018 2 hours ago, liquidfractal said: These requests are all done twice per second, so in a given second a different IP (the last part being different) will rapidfire two attempts to access a given port. Then a different iteration of 46.229.168.* will try another port and so forth. ... I'm not up on my lingo so I thought I'd ask: Is this an attempt at a DDoS attack, No, it's not a DDoS attack. DDoS attack would be when there would be an attempt to access your site not twice in a second but hundreds, thousands of time. Link to comment Share on other sites More sharing options...
bfarber Posted August 6, 2018 Share Posted August 6, 2018 It sounds like port scanning on the surface Link to comment Share on other sites More sharing options...
LiquidFractal Posted August 6, 2018 Author Share Posted August 6, 2018 Thanks for the replies. I assume that no search engine has any business port-scanning. Link to comment Share on other sites More sharing options...
Mark H Posted August 7, 2018 Share Posted August 7, 2018 No, they really don't have any business port scanning like that. Here's who currently controls that x.x.x.* IP address range: Since you've blocked it, there's little more you can do. And it's "parent" range, which as you noted is DataWeb, is: If you do not have any audience in the Netherlands at all, you may wish to block the entire range of 46.229.160.1 thru 46.229.175.255. In CIDR format that would be: 46.229.160.0/20 Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.