Search

Recent Posts

Tags


« | Main | »

GeoIP origins of malicious network activity

By Dale Reagan | April 28, 2013

I have previously written that GeoIP data is not a reliable source for definitive data analysis – it is, however, a reasonable indicator.  The numbers below are from a single server (logged during the past few years) and don’t really provide any surprises.  Some things to keep in mind:

In early 2013 there have been numerous ‘news stories’ about hacking from China.   The numbers below are cumulative (based on several years of data.)  One of the interesting pieces of data (if you dig a bit) is that you find many US IP locations (GeoIP) are for ‘data centers’ (ISPs with large numbers of servers and significant IT infrastructure) that appear to be ‘hosting’ connections/domains/servers for China-based entities (as well as other from other countries) from which hacking attacks appear to be launched.  The numbers would be higher if  I did not use firewall rules (along with mod_security, mod_geoip, milter-greylist) to block access from troublesome IP space.)

GeoIP Sources of Ssh Connection Attempts – Top 10 Countries

        *********** Unique # of Countries_CNT:_124 ***********
  1.    1120 | CN
  2.     868 | US
  3.     225 | KR
  4.     181 | DE
  5.     181 | CA
  6.     151 | BR
  7.     136 | IN
  8.     108 | FR
  9.     106 | IT
 10.      99 | GB

GeoIP Sources of Ssh Connection Attempts – Top 10 Cities

        *********** Unique # of Cities_CNT:_1177 ***********
  1.     225 | Beijing
  2.     135 | Seoul
  3.     114 | Guangzhou
  4.      62 | Shanghai
  5.      54 | Taipei
  6.      49 | Hangzhou
  7.      48 | Nanjing
  8.      48 | Dallas
  9.      41 | Paris
 10.      37 | San_Antonio

Fake ‘Bots’ & GeoIP data

A related issue that I started tracking is ‘fake bots’ – web server connections that suggest they are from ‘legitimate bots’, but, when you review the IP data (GeoIP or DNS information) you will find that the bot is NOT related to the ‘bot domain’ (i.e. GoogleBot.)   The numbers below are from ‘fake’ Google Bots – my data starts in 2010:

      | # Fake | GeoIP Country
------|--------|---------------
    1 |   4145 | BR
    2 |    399 | TR
    3 |    369 | PT
    4 |     95 | ES
    5 |     85 | IT
    6 |     84 | FR
    7 |     68 | UA
    8 |     60 | MX
    9 |     50 | US
   10 |     38 | RU

Fake Google Bots per year:

So, what are these ‘fake bots’ doing?

I’m guessing that ‘fake bots’ are visiting your sites for two primary reasons:

  1. scraping your site (which is then re-published on bogus, totally automated web sites which are used to generate web traffic and earn revenue – these fake sites can  ‘pollute’ the major search engines; if your web site is supported by search engine ads then this, of course, reduces your revenue…
  2. attempting to create SEO traffic from web sites that ‘publish’ their web server logs.

Overall, the scope and sources of malicious, nefarious or ‘bad’ server traffic show no GeoIP limitations – but the data above does suggest ‘hot spots’ for the ‘bad guys’..

So what?  I suggest reviewing the GeoIP data for all of your server logs – at this point, the results should NOT be surprising; Once you identify/understand the ‘data patterns’ then you can create your own automated solution(s) to deal with these types of network/server issues. Your arsenal is unlimited but a starting point is to use/configure tools like:

And yes, I can (and do) manually ‘block’ bad IP space – but, most of what I do has been automated using standard *NIX tools – I just review the logs/system to make sure it continues to ‘work’.

As always, your mileage will vary… 🙂

Topics: Computer Technology, System and Network Security, Unix-Linux-Os | Comments Off on GeoIP origins of malicious network activity

Comments are closed.


________________________________________________
YOUR GeoIP Data | Ip: 73.21.121.1
Continent: NA | Country Code: US | Country Name: United States
Region: | State/Region Name: | City:
(US only) Area Code: 0 | Postal code/Zip:
Latitude: 38.000000 | Longitude: -97.000000
Note - if using a mobile device your physical location may NOT be accurate...
________________________________________________

Georgia-USA.Com - Web Hosting for Business
____________________________________