FYI Microsoft Attack this evening

Dixie McCall

Well-known member
I'm getting some sort of Microsoft DDOS? issue this morning. You might want to check out this on your end. Getting about 200 at a time

Decimal: 883785799

Hostname: 52.173.128.71

ASN: 8075

ISP: Microsoft Corporation

Organization: Microsoft Azure

Services: None detected

Type: Corporate

Assignment: Likely Static IP

Continent: North America

Country: United States

State/Region: Iowa

City: Des Moines
 
Looks like someone is using Azure to attack you/test something; you can just block all Microsoft IP.

I would also recommend reporting abuse, as Microsoft is fairly quick to deal with it compared to Amazon or Digital Ocean:

Comment: To report suspected security issues specific to traffic emanating from Microsoft online services, including the distribution of malicious content or other illicit or illegal material through a Microsoft online service, please submit reports to:
Comment: * https://cert.microsoft.com.
Comment: For SPAM and other abuse issues, such as Microsoft Accounts, please contact:
Comment: * abuse@microsoft.com.
Comment: To report security vulnerabilities in Microsoft products and services, please contact:
Comment: * secure@microsoft.com.
Comment: For legal and law enforcement-related requests, please contact:
Comment: * msndcc@microsoft.com
Comment: For routing, peering or DNS issues, please
Comment: contact:
Comment: * IOC@microsoft.com
 
I had this 2 weeks ago or so... it was 'almost' as if it was doing a search engine cough 'Baidu' troll through the entire site from a USA IP. :unsure:
 
I have had 3 days of brute force attacks on a mail server on all IMAP Ports, one attack at least every 60 seconds or less, ALL IPs different and all from different countries, so probably VPNs. It finished at 2pm UK time this afternoon. I did tweak CSF down to block any failed authentication after 1 attempt.
 
I'm getting some sort of Microsoft DDOS? issue this morning. You might want to check out this on your end. Getting about 200 at a time

Decimal: 883785799

Hostname: 52.173.128.71

ASN: 8075

ISP: Microsoft Corporation

Organization: Microsoft Azure

Services: None detected

Type: Corporate

Assignment: Likely Static IP

Continent: North America

Country: United States

State/Region: Iowa

City: Des Moines

It’s happening again, most of the same IPs as before. Luckily it’s just an irritation in terms of connection speed currently, but even so, you don’t expect it from a Microsoft data centre. :unsure:
 
I'm seeing exactly the same on my server.
First I thought this was an aggressive crawler, but all these IP's just request the forum index.
Right now, 800+ visitors all coming from Microsoft IP's.

1673603017377.png


No problems though... no slow downs or whatever.
 
These are the IPs I've seen from earlier in the year and today:

104.43.0.0/16 # Microsoft Des Moines DDOS - do not delete
104.47.0.0/16 # Microsoft Des Moines DDOS - do not delete
104.208.0.0/16 # Microsoft Des Moines DDOS - do not delete
52.176.0.0/16 # Microsoft Des Moines DDOS - do not delete
52.173.0.0/16 # Microsoft Des Moines DDOS - do not delete
52.165.0.0/16 # Microsoft Des Moines DDOS - do not delete
40.122.0.0/16 # Microsoft Des Moines DDOS - do not delete
40.113.0.0/16 # Microsoft Des Moines DDOS - do not delete
40.122.0.0/16 # Microsoft Des Moines DDOS - do not delete
40.86.0.0/16 # Microsoft Des Moines DDOS - do not delete
40.83.0.0/16 # Microsoft Des Moines DDOS - do not delete
40.78.0.0/16 # Microsoft Des Moines DDOS - do not delete
40.77.0.0/16 # Microsoft Des Moines DDOS - do not delete
40.69.0.0/16 # Microsoft Des Moines DDOS - do not delete
23.101.0.0/16 # Microsoft Des Moines DDOS - do not delete
23.99.0.0/16 # Microsoft Des Moines DDOS - do not delete
20.241.0.0/16 # Microsoft Washington DDOS - do not delete
20.169.0.0/16 # Microsoft Washington DDOS - do not delete
20.29.0.0/16 # Microsoft Des Moines DDOS - do not delete
13.89.0.0/16 # Microsoft Des Moines DDOS - do not delete
13.86.0.0/16 # Microsoft Des Moines DDOS - do not delete
13.67.0.0/16 # Microsoft Des Moines DDOS - do not delete
 
Last edited:
We've got the same at the moment

View attachment 279935
I have managed to stop it by adding the following rules to the CSF firewall:

Code:
104.47.0.0/16 # Microsoft
104.208.0.0/16 # Microsoft
104.43.0.0/16 # Microsoft
168.61.0.0/16 # Microsoft
52.176.0.0/16 # Microsoft
52.173.0.0/16 # Microsoft
52.165.0.0/16 # Microsoft
40.122.0.0/16 # Microsoft
40.113.0.0/16 # Microsoft
40.86.0.0/16 # Microsoft
40.83.0.0/16 # Microsoft
40.78.0.0/16 # Microsoft
40.77.0.0/16 # Microsoft
40.69.0.0/16 # Microsoft
23.101.0.0/16 # Microsoft
23.99.0.0/16 # Microsoft
20.241.0.0/16 # Microsoft
20.169.0.0/16 # Microsoft
20.29.0.0/16 # Microsoft
13.89.0.0/16 # Microsoft
13.86.0.0/16 # Microsoft
13.67.0.0/16 # Microsoft
 
I have managed to stop it by adding the following rules to the CSF firewall:

Code:
104.47.0.0/16 # Microsoft
104.208.0.0/16 # Microsoft
104.43.0.0/16 # Microsoft
168.61.0.0/16 # Microsoft
52.176.0.0/16 # Microsoft
52.173.0.0/16 # Microsoft
52.165.0.0/16 # Microsoft
40.122.0.0/16 # Microsoft
40.113.0.0/16 # Microsoft
40.86.0.0/16 # Microsoft
40.83.0.0/16 # Microsoft
40.78.0.0/16 # Microsoft
40.77.0.0/16 # Microsoft
40.69.0.0/16 # Microsoft
23.101.0.0/16 # Microsoft
23.99.0.0/16 # Microsoft
20.241.0.0/16 # Microsoft
20.169.0.0/16 # Microsoft
20.29.0.0/16 # Microsoft
13.89.0.0/16 # Microsoft
13.86.0.0/16 # Microsoft
13.67.0.0/16 # Microsoft

You have to end it with " - do not delete" in the comment if you don't want it to expire in CSF.
 
Top Bottom