reverse.lstn.net

Discussion in 'other firewalls' started by Lethos, Dec 1, 2012.

Thread Status:
Not open for further replies.
  1. Lethos

    Lethos Registered Member

    Joined:
    Dec 1, 2012
    Posts:
    3
    Location:
    United Kingdom
    Apparently I can't reply to this one any more.
    https://www.wilderssecurity.com/showthread.php?t=309308&page=2

    So since the same problem is occurring, I wanted to continue to topic.

    I registered specifically to make this post, since it was the first result in google for 'reverse.lstn.net' who has been a very frequent brute force attacker to my server since I've kept track of reverseDNS details over the past 8 months, rather than just keeping an eye on IP address'.

    Clearly this webhost has an problem with the clients that use it and does little to stop it, since repeated attacks often occur month after month from the same IP address.

    All the IP's so far in the my recorded history are:

    63.143.54.87
    63.143.42.100
    63.143.42.98
    64.31.13.195
    74.63.241.156
    74.63.241.165
    74.63.211.199
    216.144.251.37
    216.144.249.205

    All resolve to a reverse DNS that resembles the below:
    100-42-143-63.static.reverse.lstn.net

    If this continues I won't have much option but to do some pretty wide /16 blacklisting on my firewall. Since I'm starting to get a pattern lstn.net own, and thus operate from;
    63.143.*.*
    74.63.*.*
    216.144.*.*

    Maybe more. As the referenced post, this happened also last year.
    Is anyone else experiencing this?
     
  2. 3inchblue

    3inchblue Registered Member

    Joined:
    Nov 24, 2010
    Posts:
    49
  3. Lethos

    Lethos Registered Member

    Joined:
    Dec 1, 2012
    Posts:
    3
    Location:
    United Kingdom
    Thanks for those links.
     
  4. Moore

    Moore Registered Member

    Joined:
    Mar 14, 2004
    Posts:
    82
    Location:
    land of ?z
    Hi Lethos. Yes I've got them banned in my personal server blacklist. I like to collect and blacklist all the most common dedicated server / vps hosts..

    I think you would be best to just blacklist all the Limestone cidr ranges, and save your time for something else..

    I generally use the hurricane electric site for investigating IP's:

    http://bgp.he.net/AS46475
    http://bgp.he.net/AS46475#_prefixes

    There are a ton of dedicated server and VPS hosts which are favoured by attackers, usually the low cost servers are the most active in attacks and abuse.

    The typical traffic coming from those ranges will be proxies, spambots, scrapers, crawlers and other types of things you most likely don't want to have accessing your website or server..

    You also have to consider the large number of compromised web sites / servers being used to compromise other sites and servers.

    One of the best sources of abuse I've seen for awhile was/is Hostnoc :
    http://stopmalvertising.com/security/hostnocs-christmas-hacking-bonanza.html
     
    Last edited: Dec 4, 2012
  5. Lethos

    Lethos Registered Member

    Joined:
    Dec 1, 2012
    Posts:
    3
    Location:
    United Kingdom
    Thanks for the Tips and advice.
    I've recently started getting involved in project honey pot, and found they also had a good list of IP ranges to add to my banned list. Aswell as helping out of course.
     
  6. Moore

    Moore Registered Member

    Joined:
    Mar 14, 2004
    Posts:
    82
    Location:
    land of ?z
    Quick check of this mornings server logs and what do I see :

     
Thread Status:
Not open for further replies.