Information about misusage of ip.bieringer.de
Issue
Since longer time (approx. over 2 years now) ip.bieringer.de is misused on port 8080 in a continous way by a Java software from various IP addresses:
GET / HTTP/1.1
Host: ip.bieringer.de:8080
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_102)
Accept-Encoding: gzip,deflate
or
GET / HTTP/1.1
Host: 127.0.0.1:[various-ports, mostly in range of 1200...1500]
User-Agent: Java/1.8.0_10
Log entries (after blocking User-Agent "Java") like
103.125.189.140 - - [14/Nov/2020:16:35:35 +0100] "GET / HTTP/1.1" 403 209 "-" "Apache-HttpClient/4.5.3 (Java/1.8.0_102)" 8080 "ip.bieringer.de:8080" "-" 155 375 "-/-/-/-"
1.1.236.51 - - [01/Sep/2021:01:19:03 +0200] "GET / HTTP/1.1" 403 199 "-" "Java/1.8.0_102" 8080 "127.0.0.1:1339" "-" 154 365 "-/-/-/-"
Further Analysis
Probing Attack Sequence
Probing
It looks like that the request with User-Agent and Host-Header
Host: ip.bieringer.de:8080
User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_102)
is somehow the controller probe from particular IP addresses
Attacking
If probing request is successful, huge amount of requests from IP addresses all over the world will start with User-Agent and Host-Header
User-Agent: Java/1.8.0_10
Host: 127.0.0.1:[various-ports, mostly in range of 1200...1500]
User-Agent: Java/1.8.0_10
Client Analysis
Client OS indicators
After blocking several IPv4 ranges of some countries it turns out that clients suddenly start using 6to4 IPv6 addresses like
2002:67cf:26c5::67cf:26c5
This 6to4 address is an indication, that the client operating system is Microsoft Windows, because this stores the encoded IPv4 address also into Interface-ID.
Client connection indicators
- After IPv4 was blocked for some networks it started using IPv6 (6to4)
- After also IPv6 6to4 was blocked it started using Cloudflare WARP service (IPv4 addresses out of 8.0.0.0/8)
Mitigations
Several workarounds did not stop that misusage like:
- respond since long time "HTTP 403" (blocked by detected user agent)
- close down port 8080 for quite a while
- permanent close down port 8080 for various sources
Following step reduced the misusage a lot
-
return to DNS servers with following country codes 'NXDOMAIN' instead of the real IP address: VN RU CN
-
using special "fail2ban" configuration and block (unconditionally) port 8080 for some time - but this blocks also valid requests
Workaround
In case of any issues with blocked DNS resolution replace in your browser: ip.bieringer.de -> ip.bieringer.net
Note
If I detected that one change the FQDN to "ip.bieringer.net" then I will get really angry and close down the service!
Request of help
If one has any hint about the root cause, please contact me - thank you very much!
I'm also able to handout related log entries for further statistics or drill-down!
2021-10-21, webmaster at bieringer dot de
Your connection is via:
IPv4
Your address: 18.97.14.87
|
www.bieringer.de is maintained by webmaster at bieringer dot de
(Impressum)
|
|
|