Excessive Scanning

Steve Platti 41 Reputation points
2021-07-12T14:37:23.233+00:00

We are getting excessive scanning to our vms coming from a couple of foreign IP addresses. These are getting blocked successfully by our NSG, but is there a way to have Azure block this upstream so it does not even get to our NSG?

I use RiskIQ and these have been reported as malicious. One of them is class C 89.248.165.0 which claims to be The Recyber Project. See the arin lookup info below

Thank You
Steve

arin:89.248.165.203

arin

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '89.248.165.0 - 89.248.165.255'

% Abuse contact for '89.248.165.0 - 89.248.165.255' is 'abuse@recyber.net'

inetnum: 89.248.165.0 - 89.248.165.255
netname: NET-2-165
descr: RECYBER PROJECT NETBLOCK
remarks: +-----------------------------------------------
remarks: | This net-block is not trying to hack you, we are only scanning
remarks: | for LEGIT purposes ONLY. This scanning is done by multiple
remarks: | security organizations.
remarks: | Please use https://www.recyber.net/opt-out
remarks: | to have your ip-address and/or netblock/as number white-listed
remarks: | and excluded from this project.
remarks: | If you have any further questions please contact admin@recyber.net
remarks: +-----------------------------------------------
country: NL
geoloc: 52.370216 4.895168
org: ORG-IVI1-RIPE
admin-c: RR13369-RIPE
abuse-c: RR13369-RIPE
tech-c: RR13369-RIPE
status: ASSIGNED PA
mnt-by: IPV
mnt-lower: IPV
mnt-routes: IPV
created: 2019-02-03T20:52:14Z
last-modified: 2021-01-27T15:23:15Z
source: RIPE

organisation: ORG-IVI1-RIPE
org-name: IP Volume inc
org-type: OTHER
address: Suite 9
address: Victoria, Mahe
address: Seychelles
abuse-c: IVNO1-RIPE
mnt-ref: IPV
mnt-by: IPV
created: 2018-05-14T11:46:50Z
last-modified: 2019-01-31T14:39:36Z
source: RIPE # Filtered

role: RECYBER ROLE
address: 35 Firs Avenue, London, England, N11 3NE
abuse-mailbox: abuse@recyber.net
nic-hdl: RR13369-RIPE
mnt-by: IPV
created: 2021-01-27T15:12:59Z
last-modified: 2021-01-27T15:12:59Z
source: RIPE # Filtered

% Information related to '89.248.165.0/24AS202425'

route: 89.248.165.0/24
origin: AS202425
remarks: +-----------------------------------------------
remarks: | For abuse e-mail abuse@ipvolume.net
remarks: | We do not always reply to abuse.
remarks: | But we do take care your report is dealt with!
remarks: +-----------------------------------------------
mnt-by: IPV
created: 2019-02-08T15:42:07Z
last-modified: 2019-02-08T15:42:07Z
source: RIPE

% This query was served by the RIPE Database Query Service version 1.101 (BLAARKOP)

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,311 questions
0 comments No comments
{count} votes

Accepted answer
  1. ChaitanyaNaykodi-MSFT 24,666 Reputation points Microsoft Employee
    2021-07-14T19:14:16.037+00:00

    Hello @Steve Platti , Thank you for reaching out and apologies for the delayed response.
    I think creating a Azure Firewall will be beneficial in this scenario. As Azure Firewall uses threat intelligence-based filtering you can protect your virtual network by denying traffic from/to known malicious IP addresses and domains. It might also help if you can go through this Network Security baseline documentation and determine if additional security measures are required or missing.
    If you need any advanced features like TLS inspection, IDPS, URL filtering and Web categories you can go through Azure Firewall Premium Preview. It is currently not recommended for production environment but currently it is estimated to go GA by next month.

    Please let me know if there are any concerns. Thank you!


0 additional answers

Sort by: Most helpful