[GLLUG] Getting hammered with connections to port 80

[Tim Woodall]

Does anyone know what these guys are trying to do?

These are the connections to my webserver (port 80) in the last five
hours. Almost all of them did not actually make a get request.

       1 1.160.52.47
       6 103.197.58.172
     208 103.37.233.28
     211 103.49.209.40
       1 104.248.193.105
   12295 139.99.118.122
     108 149.56.154.192
     108 149.56.154.193
     315 149.56.154.195
     417 149.56.180.253
     299 149.56.180.254
     211 149.56.180.255
     523 167.114.41.148
     307 167.114.41.149
     307 167.114.41.150
       2 177.152.134.93
       1 191.205.76.150
     108 192.126.114.28
      18 192.168.5.129
       2 192.168.6.129
       2 196.44.191.101
     107 198.44.230.98
     105 203.205.158.44
       2 211.155.229.227
       1 216.243.31.2
     206 35.201.183.114
       4 37.252.83.238
     699 45.195.133.246
   12634 45.195.133.8
     208 45.61.249.76
     643 45.61.249.94
       1 81.187.30.21
       2 85.101.36.146
       1 88.1.196.183

I did discover a couple of issues with my firewall while investigating
this:
1 - the source I was using for country of origin wasn't reliable -
the 139.99 addresses are singapore and I'm supposed to be blocking
everything from sg. I've now switched to a different resource for that
data. https://download.ip2location.com/lite/

2 - incoming connections are supposed to be ratelimited to 5 per second
but I'd managed to disable that for ipv4 (but I don't think these are
coming in at 5 per second anyway, looks like 2-3 per second.

They don't seem to be completing the connection. The webserver isn't
getting a request. I only log the initial SYN packet so I haven't yet
checked if there's the full TCP handshake.

(I've seen 44 resources requested in the apache logs - and that includes
https requests!)

Entire countries that are blocked don't get reported in my logs, so
these are the rest (not sg, cn, ru, cl - but based on my old blocklist)

Tim.