FYI Microsoft Attack this evening

[Dixie McCall]

I'm getting some sort of Microsoft DDOS? issue this morning. You might want to check out this on your end. Getting about 200 at a time

Decimal: 883785799

Hostname: 52.173.128.71

ASN: 8075

ISP: Microsoft Corporation

Organization: Microsoft Azure

Services: None detected

Type: Corporate

Assignment: Likely Static IP

Continent: North America

Country: United States

State/Region: Iowa

City: Des Moines

 

[Dixie McCall]

52.173.
40.83.
52.165.
13.89.
40.86.
13.89.
13.67.
40.83.
52.176.
104.208.
168.61.

 

[Forsaken]

Looks like someone is using Azure to attack you/test something; you can just block all Microsoft IP.

I would also recommend reporting abuse, as Microsoft is fairly quick to deal with it compared to Amazon or Digital Ocean:

Comment: To report suspected security issues specific to traffic emanating from Microsoft online services, including the distribution of malicious content or other illicit or illegal material through a Microsoft online service, please submit reports to:
Comment: * https://cert.microsoft.com.
Comment: For SPAM and other abuse issues, such as Microsoft Accounts, please contact:
Comment: * abuse@microsoft.com.
Comment: To report security vulnerabilities in Microsoft products and services, please contact:
Comment: * secure@microsoft.com.
Comment: For legal and law enforcement-related requests, please contact:
Comment: * msndcc@microsoft.com
Comment: For routing, peering or DNS issues, please
Comment: contact:
Comment: * IOC@microsoft.com

 

[Dixie McCall]

So about 10 minutes after sending a report to MS, it stopped. Not sure why.

 

[wedgar]

So about 10 minutes after sending a report to MS, it stopped. Not sure why.

Bill Gates got bored and had nothing better to do? ;-)

 

[Dad.]

Bill Gates got bored and had nothing better to do? ;-)

Woulda loled if it was Bill Gates as your avatar

 

[alexm]

I had this 2 weeks ago or so... it was 'almost' as if it was doing a search engine cough 'Baidu' troll through the entire site from a USA IP.

 

[Muddy Boots]

I have had 3 days of brute force attacks on a mail server on all IMAP Ports, one attack at least every 60 seconds or less, ALL IPs different and all from different countries, so probably VPNs. It finished at 2pm UK time this afternoon. I did tweak CSF down to block any failed authentication after 1 attempt.

 

[alexm]

I had this 2 weeks ago or so... it was 'almost' as if it was doing a search engine cough 'Baidu' troll through the entire site from a USA IP.

I should say, it was the same Azure IPs as the OP.

 

[Muddy Boots]

IP's (some of them) small selection

84.197.9.13,201.172.191.248,190.140.153.156,93.108.3.37,188.175.229.237,31.209.59.184,116.49.57.83,71.198.86.119,116.90.238.192,40.68.103.10,179.60.215.228

 

[Dixie McCall]

MS azure is back with a whole new set of IPs. Caught it early.

 

[alexm]

I'm getting some sort of Microsoft DDOS? issue this morning. You might want to check out this on your end. Getting about 200 at a time

Decimal: 883785799

Hostname: 52.173.128.71

ASN: 8075

ISP: Microsoft Corporation

Organization: Microsoft Azure

Services: None detected

Type: Corporate

Assignment: Likely Static IP

Continent: North America

Country: United States

State/Region: Iowa

City: Des Moines

It’s happening again, most of the same IPs as before. Luckily it’s just an irritation in terms of connection speed currently, but even so, you don’t expect it from a Microsoft data centre.

 

[Mr. Jinx]

I'm seeing exactly the same on my server.
First I thought this was an aggressive crawler, but all these IP's just request the forum index.
Right now, 800+ visitors all coming from Microsoft IP's.

No problems though... no slow downs or whatever.

 

[alexm]

These are the IPs I've seen from earlier in the year and today:

104.43.0.0/16 # Microsoft Des Moines DDOS - do not delete
104.47.0.0/16 # Microsoft Des Moines DDOS - do not delete
104.208.0.0/16 # Microsoft Des Moines DDOS - do not delete
52.176.0.0/16 # Microsoft Des Moines DDOS - do not delete
52.173.0.0/16 # Microsoft Des Moines DDOS - do not delete
52.165.0.0/16 # Microsoft Des Moines DDOS - do not delete
40.122.0.0/16 # Microsoft Des Moines DDOS - do not delete
40.113.0.0/16 # Microsoft Des Moines DDOS - do not delete
40.122.0.0/16 # Microsoft Des Moines DDOS - do not delete
40.86.0.0/16 # Microsoft Des Moines DDOS - do not delete
40.83.0.0/16 # Microsoft Des Moines DDOS - do not delete
40.78.0.0/16 # Microsoft Des Moines DDOS - do not delete
40.77.0.0/16 # Microsoft Des Moines DDOS - do not delete
40.69.0.0/16 # Microsoft Des Moines DDOS - do not delete
23.101.0.0/16 # Microsoft Des Moines DDOS - do not delete
23.99.0.0/16 # Microsoft Des Moines DDOS - do not delete
20.241.0.0/16 # Microsoft Washington DDOS - do not delete
20.169.0.0/16 # Microsoft Washington DDOS - do not delete
20.29.0.0/16 # Microsoft Des Moines DDOS - do not delete
13.89.0.0/16 # Microsoft Des Moines DDOS - do not delete
13.86.0.0/16 # Microsoft Des Moines DDOS - do not delete
13.67.0.0/16 # Microsoft Des Moines DDOS - do not delete

 

[javilonas]

I'm seeing the same problem, they all come from Microsoft

 

[CedricV]

I had to fight two DDoS earlier past week. Not getting any issues anymore after setting up firewalls on cloudflare.

 

[webbouk]

We've got the same at the moment

 

[javilonas]

We've got the same at the moment

View attachment 279935

I have managed to stop it by adding the following rules to the CSF firewall:

104.47.0.0/16 # Microsoft
104.208.0.0/16 # Microsoft
104.43.0.0/16 # Microsoft
168.61.0.0/16 # Microsoft
52.176.0.0/16 # Microsoft
52.173.0.0/16 # Microsoft
52.165.0.0/16 # Microsoft
40.122.0.0/16 # Microsoft
40.113.0.0/16 # Microsoft
40.86.0.0/16 # Microsoft
40.83.0.0/16 # Microsoft
40.78.0.0/16 # Microsoft
40.77.0.0/16 # Microsoft
40.69.0.0/16 # Microsoft
23.101.0.0/16 # Microsoft
23.99.0.0/16 # Microsoft
20.241.0.0/16 # Microsoft
20.169.0.0/16 # Microsoft
20.29.0.0/16 # Microsoft
13.89.0.0/16 # Microsoft
13.86.0.0/16 # Microsoft
13.67.0.0/16 # Microsoft

 

[webbouk]

How did you sort the MS IP addresses from other Guest addresses?

 

[alexm]

I have managed to stop it by adding the following rules to the CSF firewall:

104.47.0.0/16 # Microsoft
104.208.0.0/16 # Microsoft
104.43.0.0/16 # Microsoft
168.61.0.0/16 # Microsoft
52.176.0.0/16 # Microsoft
52.173.0.0/16 # Microsoft
52.165.0.0/16 # Microsoft
40.122.0.0/16 # Microsoft
40.113.0.0/16 # Microsoft
40.86.0.0/16 # Microsoft
40.83.0.0/16 # Microsoft
40.78.0.0/16 # Microsoft
40.77.0.0/16 # Microsoft
40.69.0.0/16 # Microsoft
23.101.0.0/16 # Microsoft
23.99.0.0/16 # Microsoft
20.241.0.0/16 # Microsoft
20.169.0.0/16 # Microsoft
20.29.0.0/16 # Microsoft
13.89.0.0/16 # Microsoft
13.86.0.0/16 # Microsoft
13.67.0.0/16 # Microsoft

You have to end it with " - do not delete" in the comment if you don't want it to expire in CSF.