MXroute Blocks AS9009

I might add a whmcs module for whitelisting individual IPs so customers can allow a specific VPN end point on demand to override it, with a limit on it.

1 Like

If you need to check which AS your VPN is using: https://ipinfo.app/

If you need to find out a list of IPs that AS9009 is using: ASN Info

2 Likes

Welcome!

Personally, on VPS’s and simple boxes,I filter their whole IPv4 and IPv6 ranges and send those packets to a custom chain. If the destination port is suspect the offending IP gets added to a set with iptables’ recent module so subsequent packets are dropped directly from the get go in the raw table’s prerouting chain, whilst if dport is not suspect a “polite” rate-limited REJECT is sent before going full DROP.
If the server runs a webserver and this has to be reachable by the ludicrously small percentage of legit users running their VPN software on M247, they’re intercepted in the raw table where they’re not sent to DROP immediately but rather rate-limited (if dport is legit); their packets are then tagged and redirected to a different internal port. The webserver listening on that port never accepts POST, along with some other rules and checks to deter some rather impolite scanners, scrapers and spammers mainly observed from M247’s RO ranges. All this on top of an existing WAF

On a dedicated server mainly used for corporate mails in a highly sensitive industry, packets from the whole AS9009 (IPv4 & IPv6) on unwarranted ports are dropped at the edges without too much politeness, on legit ports they’re throttled and enjoy a custom postscreen starting with a +2 penalty. To the best of my knowledge no legit mail ever arrived from those ranges and no legit mail has been rejected

AS202425 is always dropped no matter what and everywhere
it’s even in my ansible

the amount of abuse I’ve witnessed from them is not really comparable

pretty different ballgame

There are some allegedly not bad mail server in their range, but that’s pretty rare and there’s nothing more than that AFAIK

Thank you for you app
I noticed a little bug/feature: the proposed snapshots start from Jan 2019 and when I reach Dec 2019, I’m then offered snapshots from Jan to Dec 2018, 2017, 2016 and so on. Maybe you just want to order snapshots per date, starting always from the most recent? Sorting by date seems to have inverse effects on months and years

2 Likes

I see it listed by date from oldest to newest. Are you just asking for it to be reversed? It should automatically sort by date.

1 Like

This is what I see in Firefox


It either start from Jan 2019, and when it reaches Nov 2019 it continues with Jan 2018; or it starts with Dec 2015, and when it reaches Aug 2015… it continues with Dec 2016.
That’s what I meant with “sorting by date seems to have opposite effects on months and years”
Anyway, I’ve tested in a different browser (Chromium) and everything seems fine there.
I’ve also tried to load that page in Firefox using a virgin profile, to no avail. Weird

Thanks for the detailed explanation.

I use ipset-based self-adjusting filtering, and looks like I will consider blocking AS9009 on our production sites, as well. Looks like most of would-be hackers trying to POST to variety of non-existing URLs (typical for Wordpress etc) originate from that IP space.

1 Like