Information about misusage of ip.bieringer.de

Issue

Since longer time (approx. over 2 years now) ip.bieringer.de is misused on port 8080 in a continous way by a Java software from various IP addresses:

GET / HTTP/1.1
Host: ip.bieringer.de:8080
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_102)
Accept-Encoding: gzip,deflate

GET / HTTP/1.1
Host: 127.0.0.1:[various-ports, mostly in range of 1200...1500]
User-Agent: Java/1.8.0_10

Log entries (after blocking User-Agent "Java") like

103.125.189.140 - - [14/Nov/2020:16:35:35 +0100] "GET / HTTP/1.1" 403 209 "-" "Apache-HttpClient/4.5.3 (Java/1.8.0_102)" 8080 "ip.bieringer.de:8080" "-" 155 375 "-/-/-/-"
1.1.236.51 - - [01/Sep/2021:01:19:03 +0200] "GET / HTTP/1.1" 403 199 "-" "Java/1.8.0_102" 8080 "127.0.0.1:1339" "-" 154 365 "-/-/-/-"

Further Analysis

Probing Attack Sequence

Probing

It looks like that the request with User-Agent and Host-Header

Host: ip.bieringer.de:8080
User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_102)

is somehow the controller probe from particular IP addresses

Attacking

If probing request is successful, huge amount of requests from IP addresses all over the world will start with User-Agent and Host-Header

User-Agent: Java/1.8.0_10
Host: 127.0.0.1:[various-ports, mostly in range of 1200...1500]
User-Agent: Java/1.8.0_10

Client Analysis

Client OS indicators

After blocking several IPv4 ranges of some countries it turns out that clients suddenly start using 6to4 IPv6 addresses like

2002:67cf:26c5::67cf:26c5

This 6to4 address is an indication, that the client operating system is Microsoft Windows, because this stores the encoded IPv4 address also into Interface-ID.

Client connection indicators

After IPv4 was blocked for some networks it started using IPv6 (6to4)
After also IPv6 6to4 was blocked it started using Cloudflare WARP service (IPv4 addresses out of 8.0.0.0/8)

Mitigations

Several workarounds did not stop that misusage like:

respond since long time "HTTP 403" (blocked by detected user agent)
close down port 8080 for quite a while
permanent close down port 8080 for various sources

Following step reduced the misusage a lot

return to DNS servers with following country codes 'NXDOMAIN' instead of the real IP address: VN RU CN
using special "fail2ban" configuration and block (unconditionally) port 8080 for some time - but this blocks also valid requests

Workaround

In case of any issues with blocked DNS resolution replace in your browser: ip.bieringer.de -> ip.bieringer.net

Note

If I detected that one change the FQDN to "ip.bieringer.net" then I will get really angry and close down the service!

Request of help

If one has any hint about the root cause, please contact me - thank you very much!
I'm also able to handout related log entries for further statistics or drill-down!

2021-10-21, webmaster at bieringer dot de

Your connection is via: IPv4
Your address: 54.198.139.112

www.bieringer.de
is maintained by
webmaster at bieringer dot de
(Impressum)