question

StevePlatti-3761 avatar image
0 Votes"
StevePlatti-3761 asked ·

Excessive Scanning

We are getting excessive scanning to our vms coming from a couple of foreign IP addresses. These are getting blocked successfully by our NSG, but is there a way to have Azure block this upstream so it does not even get to our NSG?


I use RiskIQ and these have been reported as malicious. One of them is class C 89.248.165.0 which claims to be The Recyber Project. See the arin lookup info below

Thank You
Steve


arin:89.248.165.203

arin

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf


% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.


% Information related to '89.248.165.0 - 89.248.165.255'


% Abuse contact for '89.248.165.0 - 89.248.165.255' is 'abuse@recyber.net'


inetnum: 89.248.165.0 - 89.248.165.255
netname: NET-2-165
descr: RECYBER PROJECT NETBLOCK
remarks: +-----------------------------------------------
remarks: | This net-block is not trying to hack you, we are only scanning
remarks: | for LEGIT purposes ONLY. This scanning is done by multiple
remarks: | security organizations.
remarks: | Please use https://www.recyber.net/opt-out
remarks: | to have your ip-address and/or netblock/as number white-listed
remarks: | and excluded from this project.
remarks: | If you have any further questions please contact admin@recyber.net
remarks: +-----------------------------------------------
country: NL
geoloc: 52.370216 4.895168
org: ORG-IVI1-RIPE
admin-c: RR13369-RIPE
abuse-c: RR13369-RIPE
tech-c: RR13369-RIPE
status: ASSIGNED PA
mnt-by: IPV
mnt-lower: IPV
mnt-routes: IPV
created: 2019-02-03T20:52:14Z
last-modified: 2021-01-27T15:23:15Z
source: RIPE


organisation: ORG-IVI1-RIPE
org-name: IP Volume inc
org-type: OTHER
address: Suite 9
address: Victoria, Mahe
address: Seychelles
abuse-c: IVNO1-RIPE
mnt-ref: IPV
mnt-by: IPV
created: 2018-05-14T11:46:50Z
last-modified: 2019-01-31T14:39:36Z
source: RIPE # Filtered


role: RECYBER ROLE
address: 35 Firs Avenue, London, England, N11 3NE
abuse-mailbox: abuse@recyber.net
nic-hdl: RR13369-RIPE
mnt-by: IPV
created: 2021-01-27T15:12:59Z
last-modified: 2021-01-27T15:12:59Z
source: RIPE # Filtered


% Information related to '89.248.165.0/24AS202425'


route: 89.248.165.0/24
origin: AS202425
remarks: +-----------------------------------------------
remarks: | For abuse e-mail abuse@ipvolume.net
remarks: | We do not always reply to abuse.
remarks: | But we do take care your report is dealt with!
remarks: +-----------------------------------------------
mnt-by: IPV
created: 2019-02-08T15:42:07Z
last-modified: 2019-02-08T15:42:07Z
source: RIPE


% This query was served by the RIPE Database Query Service version 1.101 (BLAARKOP)

azure-virtual-network
10 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

ChaitanyaNaykodiMSFT-9638 avatar image
0 Votes"
ChaitanyaNaykodiMSFT-9638 answered ·

Hello @StevePlatti-3761, Thank you for reaching out and apologies for the delayed response.
I think creating a Azure Firewall will be beneficial in this scenario. As Azure Firewall uses threat intelligence-based filtering you can protect your virtual network by denying traffic from/to known malicious IP addresses and domains. It might also help if you can go through this Network Security baseline documentation and determine if additional security measures are required or missing.
If you need any advanced features like TLS inspection, IDPS, URL filtering and Web categories you can go through Azure Firewall Premium Preview. It is currently not recommended for production environment but currently it is estimated to go GA by next month.

Please let me know if there are any concerns. Thank you!


· 7
10 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@ChaitanyaNaykodi-MSFT Thank you

I was researching ddos standard and even activated it on a vnet. I then configured a vm public's IP to send DDoSProtectionNotifications, DDoSMitigationFlowLogs and
DDoSMitigationReports to a sentinel workspace. I ran multiple cans with scans all day today and the tables still do not exist in the workspace and nothing was blocked so I am not sure. How do you compare using ddos to the firewall? Can the firewall protect multiple vnets?

Steve

0 Votes 0 ·

Hello @StevePlatti-3761, Azure DDOS Protection Standard combined with application design best practices, provides enhanced DDoS mitigation features to defend against DDoS attacks. Currently Azure DDOS service does not allow you to manually block specific IP addresses. As Azure Firewall and Azure DDOS resources services provide protection against different threats you can go through this documentation to understand some differences and use cases.
Regarding the DDOS reports not showing up in Azure Sentinel, you can try and simulate DDOS attack and see if the reports are getting populated then.
You can protect multiple Vnets via Azure Firewall and it is usually deployed in a hub-and-spoke model. Please let me know if there are any additional concerns I will be glad to continue with our discussion.


0 Votes 0 ·

@ChaitanyaNaykodi-MSFT again thank you for your help and thoroughness.

II did do what you suggested earlier and used BreakingPoint Cloud to simulate an attack and DDOS Standard worked as expected. I also imported the workbook which is powerful. Now I have to weigh out the options.

0 Votes 0 ·

@StevePlatti-3761, Thank you for your quick response! Glad I could help!

0 Votes 0 ·

@ChaitanyaNaykodi-MSFT

We are using an application gateway v2. Are there other approached to rate limiting? Can we do it on the vnet? I see FrontDoor is an option, but what else.

Thanks again for all your help
Steve

0 Votes 0 ·

Hello @StevePlatti-3761, you can explore the option of using Azure API Management for rate limiting. The service offers VNET integration for Premium (recommended for Prod environment) and Developer tiers. These are the list of features APIM offers natively. You can also go through this pricing page.
Please let me know if there are any concerns. Thank you!





0 Votes 0 ·

@ChaitanyaNaykodi-MSFT

Thanks for getting back so fast and helping with all our options. Do you know what kind of rate limiting ddos basic has ? I can't not seem to find any documentation on this.

Steve

0 Votes 0 ·