A weekly Syspeace email bruteforce attack report from last week

Here is an example of a real brute force attack report that is emailed weekly to show you what actually is going on all the time against your Windows serevrs.
This is a live report of a live server and the report was generated last night.

Report for week 2013-04-29 – 2013-05-05

— All Week ——

IP address Times Host name and country
——————– —– ——————————-
0.0.0.0 2 ; N/A (–)
1.214.42.122 7 ; Korea, Republic of (KR)
1.232.173.135 2 ; Korea, Republic of (KR)
42.96.192.129 4 ; China (CN)
42.96.196.30 1 ; China (CN)
42.96.197.111 1 ; China (CN)
42.96.198.177 5 ; China (CN)
42.96.199.55 1 ; China (CN)
42.120.18.88 8 ; China (CN)
49.122.23.159 1 ; China (CN)
61.129.79.156 1 ; China (CN)
61.156.31.52 1 ; China (CN)
61.249.236.155 8 ; Korea, Republic of (KR)
69.26.6.109 1 69.26.6.109.westriv.com; United States (US)
78.109.162.101 5 78.109.162.101.srvlist.ukfast.net; United Kingdom (GB)
79.29.159.85 3 host85-159-static.29-79-b.business.telecomitalia.it; Italy (IT)
79.142.244.242 2 ; Sweden (SE)
80.249.133.228 4 ; Russian Federation (RU)
81.137.240.125 1 host81-137-240-125.in-addr.btopenworld.com; United Kingdom (GB)
82.117.209.179 2 ; Serbia (RS)
83.17.7.34 1 akd34.internetdsl.tpnet.pl; Poland (PL)
93.58.120.188 1 93-58-120-188.ip158.fastwebnet.it; Italy (IT)
108.58.246.27 4 ; United States (US)
109.230.223.1 1 mx1.caxetion.com; Germany (DE)
111.75.254.213 1 ; China (CN)
112.220.236.226 7 ; Korea, Republic of (KR)
113.233.86.109 1 ; China (CN)
114.66.217.19 1 ; China (CN)
115.137.121.165 2 ; Korea, Republic of (KR)
118.219.232.216 1 ; Korea, Republic of (KR)
119.206.205.235 5 ; Korea, Republic of (KR)
120.146.130.34 1 cpe-120-146-130-34.static.nsw.bigpond.net.au; Australia (AU)
121.169.81.138 3 ; Korea, Republic of (KR)
121.177.150.13 2 ; Korea, Republic of (KR)
121.177.150.16 3 ; Korea, Republic of (KR)
124.115.26.152 5 ; China (CN)
125.27.52.127 7 node-adb.pool-125-27.dynamic.totbb.net; Thailand (TH)
125.27.55.217 1 node-b15.pool-125-27.dynamic.totbb.net; Thailand (TH)
125.129.38.9 5 ; Korea, Republic of (KR)
153.0.160.97 5 ; China (CN)
164.177.151.65 2 164-177-151-65.static.cloud-ips.co.uk; United Kingdom (GB)
187.45.103.91 1 187-45-103-91.mhnet.com.br; Brazil (BR)
193.95.51.61 3 ; Tunisia (TN)
193.192.37.153 1 vpn153-37-192-193.lds.net.ua; Ukraine (UA)
210.183.26.187 10 ; Korea, Republic of (KR)
211.115.158.2 3 ; Korea, Republic of (KR)
212.248.39.250 3 ; Russian Federation (RU)
218.62.27.125 1 125.27.62.218.adsl-pool.jlccptt.net.cn; China (CN)
218.64.204.14 2 ; China (CN)
218.90.136.14 1 ; China (CN)
219.143.3.88 1 ; China (CN)
220.68.224.45 5 ; Korea, Republic of (KR)
220.189.255.21 4 ; China (CN)

Hourly breakdown (blocks per hour)
00 x5
01
02 x4
03 x5
04 x1
05 x3
06 x4
07 x4
08 x9
09 x4
10 x5
11 x16
12 x8
13 x12
14 x11
15 x8
16 x11
17 x5
18 x11
19 x7
20 x5
21 x10
22 x2
23 x4

– 2013-04-29 —

IP address Times Host name and country
——————– —– ——————————-
1.232.173.135 2 ; Korea, Republic of (KR)
61.249.236.155 1 ; Korea, Republic of (KR)
69.26.6.109 1 69.26.6.109.westriv.com; United States (US)
79.29.159.85 1 host85-159-static.29-79-b.business.telecomitalia.it; Italy (IT)
79.142.244.242 1 ; Sweden (SE)
82.117.209.179 2 ; Serbia (RS)
93.58.120.188 1 93-58-120-188.ip158.fastwebnet.it; Italy (IT)
153.0.160.97 1 ; China (CN)

Hourly breakdown (blocks per hour)
00 x2
01
02 x1
03 x1
04
05
06
07
08
09
10
11 x1
12 x1
13
14
15
16 x1
17
18 x1
19
20
21 x2
22
23

– 2013-04-30 —

IP address Times Host name and country
——————– —– ——————————-
61.249.236.155 2 ; Korea, Republic of (KR)
79.142.244.242 1 ; Sweden (SE)
83.17.7.34 1 akd34.internetdsl.tpnet.pl; Poland (PL)
118.219.232.216 1 ; Korea, Republic of (KR)
153.0.160.97 2 ; China (CN)
193.95.51.61 1 ; Tunisia (TN)
218.64.204.14 2 ; China (CN)

Hourly breakdown (blocks per hour)
00
01
02 x1
03 x1
04 x1
05
06
07
08 x2
09
10
11
12
13 x1
14 x1
15 x1
16 x1
17
18
19
20
21
22
23 x1

– 2013-05-01 —

IP address Times Host name and country
——————– —– ——————————-
42.96.192.129 1 ; China (CN)
61.156.31.52 1 ; China (CN)
61.249.236.155 1 ; Korea, Republic of (KR)
109.230.223.1 1 mx1.caxetion.com; Germany (DE)
124.115.26.152 1 ; China (CN)
212.248.39.250 2 ; Russian Federation (RU)
218.90.136.14 1 ; China (CN)

Hourly breakdown (blocks per hour)
00
01
02
03
04
05
06
07
08
09
10
11 x2
12 x1
13
14 x1
15
16 x1
17
18 x1
19 x2
20
21
22
23

– 2013-05-02 —

IP address Times Host name and country
——————– —– ——————————-
42.96.192.129 1 ; China (CN)
42.96.197.111 1 ; China (CN)
42.120.18.88 4 ; China (CN)
49.122.23.159 1 ; China (CN)
79.29.159.85 1 host85-159-static.29-79-b.business.telecomitalia.it; Italy (IT)
108.58.246.27 2 ; United States (US)
109.230.223.1 1 mx1.caxetion.com; Germany (DE)
120.146.130.34 1 cpe-120-146-130-34.static.nsw.bigpond.net.au; Australia (AU)
124.115.26.152 2 ; China (CN)
193.192.37.153 1 vpn153-37-192-193.lds.net.ua; Ukraine (UA)

Hourly breakdown (blocks per hour)
00
01
02
03
04
05 x1
06
07
08
09
10
11 x2
12 x2
13 x1
14 x1
15
16 x1
17
18
19 x2
20 x2
21 x1
22
23 x2

– 2013-05-03 —

IP address Times Host name and country
——————– —– ——————————-
42.96.198.177 1 ; China (CN)
79.29.159.85 1 host85-159-static.29-79-b.business.telecomitalia.it; Italy (IT)
108.58.246.27 3 ; United States (US)
124.115.26.152 1 ; China (CN)
125.27.55.217 1 node-b15.pool-125-27.dynamic.totbb.net; Thailand (TH)
153.0.160.97 2 ; China (CN)
164.177.151.65 1 164-177-151-65.static.cloud-ips.co.uk; United Kingdom (GB)
193.95.51.61 1 ; Tunisia (TN)
218.62.27.125 1 125.27.62.218.adsl-pool.jlccptt.net.cn; China (CN)
219.143.3.88 1 ; China (CN)

Hourly breakdown (blocks per hour)
00
01 x1
02
03
04
05
06
07
08
09 x1
10
11 x2
12
13 x1
14 x1
15 x2
16 x1
17 x1
18 x1
19
20
21
22 x1
23 x1

– 2013-05-04 —

IP address Times Host name and country
——————– —– ——————————-
0.0.0.0 1 ; N/A (–)
1.214.42.122 5 ; Korea, Republic of (KR)
42.96.196.30 1 ; China (CN)
42.96.198.177 4 ; China (CN)
42.120.18.88 3 ; China (CN)
61.249.236.155 3 ; Korea, Republic of (KR)
78.109.162.101 3 78.109.162.101.srvlist.ukfast.net; United Kingdom (GB)
80.249.133.228 4 ; Russian Federation (RU)
112.220.236.226 4 ; Korea, Republic of (KR)
119.206.205.235 2 ; Korea, Republic of (KR)
121.169.81.138 2 ; Korea, Republic of (KR)
124.115.26.152 1 ; China (CN)
125.27.52.127 6 node-adb.pool-125-27.dynamic.totbb.net; Thailand (TH)
125.27.55.217 1 node-b15.pool-125-27.dynamic.totbb.net; Thailand (TH)
125.129.38.9 1 ; Korea, Republic of (KR)
164.177.151.65 1 164-177-151-65.static.cloud-ips.co.uk; United Kingdom (GB)
210.183.26.187 4 ; Korea, Republic of (KR)
220.68.224.45 2 ; Korea, Republic of (KR)
220.189.255.21 3 ; China (CN)

Hourly breakdown (blocks per hour)
00 x3
01
02
03
04
05
06 x1
07 x2
08 x2
09 x2
10 x1
11 x4
12 x2
13 x5
14 x4
15 x4
16 x6
17 x2
18 x6
19 x2
20 x1
21 x3
22 x1
23

– 2013-05-05 —

IP address Times Host name and country
——————– —– ——————————-
0.0.0.0 1 ; N/A (–)
1.214.42.122 2 ; Korea, Republic of (KR)
42.96.192.129 2 ; China (CN)
42.96.199.55 1 ; China (CN)
42.120.18.88 1 ; China (CN)
61.129.79.156 1 ; China (CN)
61.249.236.155 1 ; Korea, Republic of (KR)
78.109.162.101 2 78.109.162.101.srvlist.ukfast.net; United Kingdom (GB)
81.137.240.125 1 host81-137-240-125.in-addr.btopenworld.com; United Kingdom (GB)
111.75.254.213 1 ; China (CN)
112.220.236.226 3 ; Korea, Republic of (KR)
113.233.86.109 1 ; China (CN)
114.66.217.19 1 ; China (CN)
115.137.121.165 2 ; Korea, Republic of (KR)
119.206.205.235 3 ; Korea, Republic of (KR)
121.169.81.138 1 ; Korea, Republic of (KR)
121.177.150.13 2 ; Korea, Republic of (KR)
121.177.150.16 3 ; Korea, Republic of (KR)
125.27.52.127 1 node-adb.pool-125-27.dynamic.totbb.net; Thailand (TH)
125.129.38.9 4 ; Korea, Republic of (KR)
164.177.151.65 1 164-177-151-65.static.cloud-ips.co.uk; United Kingdom (GB)
187.45.103.91 1 187-45-103-91.mhnet.com.br; Brazil (BR)
193.95.51.61 1 ; Tunisia (TN)
210.183.26.187 6 ; Korea, Republic of (KR)
211.115.158.2 3 ; Korea, Republic of (KR)
212.248.39.250 1 ; Russian Federation (RU)
220.68.224.45 3 ; Korea, Republic of (KR)
220.189.255.21 1 ; China (CN)

Hourly breakdown (blocks per hour)
00 x2
01
02 x2
03 x3
04
05 x3
06 x3
07 x2
08 x5
09 x1
10 x4
11 x5
12 x2
13 x4
14 x3
15 x1
16
17 x2
18 x2
19 x1
20 x2
21 x4
22
23

Generated 2013-05-06 00:04:14 for machine ****.*****.*** by Syspeace v2.1.0.0

Using Syspeace for a targeted bruteforce attack against a specific username

Today we had an interesting support question actually.

Someone is trying to bruteforce a customer using the same account name but from a lot of different IP addresses and they only try once or twice from each IP address thus not triggering Syspeace to block the IP address based on the default rule.

The suggestion that we eventually came up with is to create a rule based on the user name and set the allowed attempts to only 1 failed attempt. therefore making Syspeace block the IP address immediately.

In this scenario though, one must also keep in mind though that legitimate user will get blocked out instantly after one failed try so there might be a good reason to white list the IP addresses that this user usually logs in from.

Furthermore, the reason for this specific and targeted user attack should be inestigated more closely and also be handed over to the proper authorities for investigation.