[dns-operations] honeypot : so many bees from Amazon
Rayhelson, Michael
rayhelso at amazon.com
Wed Mar 6 00:10:28 UTC 2019
>> what can be done about it?
How about https://aws.amazon.com/forms/report-abuse ?
------------------------------
Date: Tue, 5 Mar 2019 09:59:37 -0500
From: Anthony Eden <anthony.eden at dnsimple.com>
To: MAYER Hans <Hans.Mayer at iiasa.ac.at>
Cc: "dns-operations at dns-oarc.net" <dns-operations at dns-oarc.net>
Subject: Re: [dns-operations] honeypot : so many bees from Amazon
Message-ID:
<CAOZSDgAJjsTUsKcXgvvYwFr0UoVuzkz7gVAAkv0ggz6X5QnHUg at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Thanks for sharing this. It makes sense: the ability to spin up unlimited
low/no cost computing power at the largest elastic computing provider in
the world is bound to attract folks who have malicious intent. Centralizing
computing power to a small number of big providers is a risky proposition.
The question I have is: what can be done about it?
-Anthony
On Tue, Mar 5, 2019 at 9:38 AM MAYER Hans <Hans.Mayer at iiasa.ac.at> wrote:
>
>
> Dear All,
>
>
>
> With the experience of these scans during the last months I was interested
> to know more about the intentions of these hackers. Therefore I created a
> subdomain also with reverse lookup for an IP-range which is not used. As
> these lookups for my in-addr.arpa. range are still ongoing it was not
> surprising that after short time the dots in the geo-map are spread over
> the world. Looking for names in this subdomain is only possible if someone
> did a reverse lookup before. Assuming that the same source IP addresses
> respectively domains for name lookups are identical to those for reverse
> lookup is completely wrong. This is a list of all IP addresses which did a
> lookup for this honeypot names during the last 5 days:
>
>
>
> 3.208.24.74 ec2-3-208-24-74.compute-1.amazonaws.com.
>
> 3.80.93.35 ec2-3-80-93-35.compute-1.amazonaws.com.
>
> 3.85.93.0 ec2-3-85-93-0.compute-1.amazonaws.com.
>
> 3.88.100.109 ec2-3-88-100-109.compute-1.amazonaws.com.
>
> 3.90.201.243 ec2-3-90-201-243.compute-1.amazonaws.com.
>
> 3.91.30.123 ec2-3-91-30-123.compute-1.amazonaws.com.
>
> 3.95.226.247 ec2-3-95-226-247.compute-1.amazonaws.com.
>
> 13.52.77.52 ec2-13-52-77-52.us-west-1.compute.amazonaws.com.
>
> 13.56.168.100 ec2-13-56-168-100.us-west-1.compute.amazonaws.com.
>
> 13.57.211.248 ec2-13-57-211-248.us-west-1.compute.amazonaws.com.
>
> 18.144.22.236 ec2-18-144-22-236.us-west-1.compute.amazonaws.com.
>
> 18.205.25.35 ec2-18-205-25-35.compute-1.amazonaws.com.
>
> 18.236.162.184 ec2-18-236-162-184.us-west-2.compute.amazonaws.com.
>
> 18.237.104.100 ec2-18-237-104-100.us-west-2.compute.amazonaws.com.
>
> 34.201.112.86 ec2-34-201-112-86.compute-1.amazonaws.com.
>
> 34.203.34.125 ec2-34-203-34-125.compute-1.amazonaws.com.
>
> 34.209.72.240 ec2-34-209-72-240.us-west-2.compute.amazonaws.com.
>
> 34.211.107.180 ec2-34-211-107-180.us-west-2.compute.amazonaws.com.
>
> 34.217.215.120 ec2-34-217-215-120.us-west-2.compute.amazonaws.com.
>
> 34.219.162.16 ec2-34-219-162-16.us-west-2.compute.amazonaws.com.
>
> 34.220.201.91 ec2-34-220-201-91.us-west-2.compute.amazonaws.com.
>
> 34.221.117.253 ec2-34-221-117-253.us-west-2.compute.amazonaws.com.
>
> 34.222.137.205 ec2-34-222-137-205.us-west-2.compute.amazonaws.com.
>
> 34.224.174.188 ec2-34-224-174-188.compute-1.amazonaws.com.
>
> 34.228.69.14 ec2-34-228-69-14.compute-1.amazonaws.com.
>
> 34.230.19.93 ec2-34-230-19-93.compute-1.amazonaws.com.
>
> 35.160.244.197 ec2-35-160-244-197.us-west-2.compute.amazonaws.com.
>
> 35.167.192.183 ec2-35-167-192-183.us-west-2.compute.amazonaws.com.
>
> 52.11.241.28 ec2-52-11-241-28.us-west-2.compute.amazonaws.com.
>
> 52.12.187.35 ec2-52-12-187-35.us-west-2.compute.amazonaws.com.
>
> 52.53.152.137 ec2-52-53-152-137.us-west-1.compute.amazonaws.com.
>
> 52.89.35.100 ec2-52-89-35-100.us-west-2.compute.amazonaws.com.
>
> 54.145.15.148 ec2-54-145-15-148.compute-1.amazonaws.com.
>
> 54.153.106.24 ec2-54-153-106-24.us-west-1.compute.amazonaws.com.
>
> 54.160.224.178 ec2-54-160-224-178.compute-1.amazonaws.com.
>
> 54.164.10.21 ec2-54-164-10-21.compute-1.amazonaws.com.
>
> 54.167.59.28 ec2-54-167-59-28.compute-1.amazonaws.com.
>
> 54.177.42.164 ec2-54-177-42-164.us-west-1.compute.amazonaws.com.
>
> 54.183.206.159 ec2-54-183-206-159.us-west-1.compute.amazonaws.com.
>
> 54.186.47.231 ec2-54-186-47-231.us-west-2.compute.amazonaws.com.
>
> 54.191.144.173 ec2-54-191-144-173.us-west-2.compute.amazonaws.com.
>
> 54.193.100.84 ec2-54-193-100-84.us-west-1.compute.amazonaws.com.
>
> 54.201.110.109 ec2-54-201-110-109.us-west-2.compute.amazonaws.com.
>
> 54.209.142.179 ec2-54-209-142-179.compute-1.amazonaws.com.
>
> 54.210.87.43 ec2-54-210-87-43.compute-1.amazonaws.com.
>
> 54.212.39.71 ec2-54-212-39-71.us-west-2.compute.amazonaws.com.
>
> 54.214.127.179 ec2-54-214-127-179.us-west-2.compute.amazonaws.com.
>
> 54.215.240.32 ec2-54-215-240-32.us-west-1.compute.amazonaws.com.
>
> 54.218.221.102 ec2-54-218-221-102.us-west-2.compute.amazonaws.com.
>
> 54.219.151.85 ec2-54-219-151-85.us-west-1.compute.amazonaws.com.
>
> 54.221.33.71 ec2-54-221-33-71.compute-1.amazonaws.com.
>
> 54.241.187.214 ec2-54-241-187-214.us-west-1.compute.amazonaws.com.
>
> 54.242.169.195 ec2-54-242-169-195.compute-1.amazonaws.com.
>
> 54.67.89.221 ec2-54-67-89-221.us-west-1.compute.amazonaws.com.
>
> 54.70.125.167 ec2-54-70-125-167.us-west-2.compute.amazonaws.com.
>
> 54.82.20.141 ec2-54-82-20-141.compute-1.amazonaws.com.
>
> 69.175.15.106 server.ssc-singlehop1.com.
>
> 71.6.165.142
>
> 74.125.190.150
>
> 107.20.131.196 ec2-107-20-131-196.compute-1.amazonaws.com.
>
> 107.6.173.166 api-5.resolver.prd.daymax.xyz.
>
> 198.143.174.170 api-6.resolver.prd.daymax.xyz.
>
> 208.100.26.239 ip239.208-100-26.static.steadfastdns.net.
>
> 240e:13:1800:100::123
>
>
>
> So 7 of total 64 IP addresses are not coming from amazonaws.com
>
>
>
>
>
> Kind regards
>
> Hans
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> --
>
>
>
> Ing. Dipl.-Ing. Hans Mayer
>
> Systems Administrator
>
> Information and Communication Technologies (ICT)
>
>
>
> International Institute for Applied Systems Analysis (IIASA)
>
> Schlossplatz 1
>
> A-2361 Laxenburg, Austria
>
> Phone: +43 2236 807 Ext 215
>
> Mobile: +43 676 83 807 215
>
> Web: http://www.iiasa.at
>
> E-Mail: mayer at iiasa.ac.at
>
>
>
> Note: If there is a disclaimer or other legal boilerplate in the above
> message, it is NULL AND VOID. You may ignore it.
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
--
DNSimple.com
http://dnsimple.com/
Twitter: @dnsimple
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190305/0b956619/attachment.html>
------------------------------
Subject: Digest Footer
_______________________________________________
dns-operations mailing list
dns-operations at lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
------------------------------
End of dns-operations Digest, Vol 158, Issue 5
**********************************************
More information about the dns-operations
mailing list