[root@bunny www]# /root/bin/log_activity4 "Jul 1" Banned Activity Log: Jul 1 2020 M0 - Preroute Other M1 - Preroute Frags M2 - Preroute Spoof A0 - Denied non-ICMP A1 - Denied DNS A2 - Denied ICMP C - SOFTBAN D - DNS Denied E - DNS Raw F - Other i0 - ICMP Echo i1 - ICMP Other i2 - ICMP Permitted nc - Counted nt - Total Hour xx - M0 M1 M2 A0 A1 A2 C D E F i0 i1 i2 nc nt Hour 00 - 0 32 31 254 1 2 133 10 207 12262 0 0 0 12932 12799 Hour 01 - 0 23 33 182 0 2 9 6 182 11814 0 0 0 12251 12242 Hour 02 - 0 27 50 367 1 6 26 1 113 7110 0 0 0 7701 7675 Hour 03 - 0 27 31 257 0 12 0 0 2 294 0 0 0 623 623 Hour 04 - 0 29 38 246 0 3 0 0 6 272 0 0 0 594 594 Hour 05 - 0 26 31 240 1 9 0 0 5 278 0 0 0 590 590 Hour 06 - 0 22 35 162 0 16 0 0 8 257 0 0 0 500 500 Hour 07 - 0 23 31 125 0 7 0 0 5 269 0 0 0 460 460 Hour 08 - 0 29 34 158 0 13 0 0 5 245 0 2 0 486 484 Hour 09 - 0 24 34 160 2 10 0 0 0 259 0 4 0 493 489 Hour 10 - 0 36 36 236 0 21 0 0 3 263 0 0 0 595 595 Hour 11 - 0 30 34 291 5 0 4 0 3 312 0 0 0 679 675 Hour 12 - 0 25 30 228 4 47 124 0 28 601 0 0 0 1087 963 Hour 13 - 0 27 29 172 3 3 0 0 5 284 0 0 0 523 523 Hour 14 - 0 35 32 144 1 12 0 0 2 297 0 0 0 523 523 Hour 15 - 0 41 36 124 2 1 0 0 90 6082 0 0 0 6376 6376 Hour 16 - 0 33 31 133 0 21 0 0 187 11036 0 0 0 11441 11441 Hour 17 - 0 19 31 119 0 58 0 3 152 11036 0 0 0 11418 11418 Hour 18 - 0 29 32 131 1 8 25 0 177 10979 0 0 0 11382 11357 Hour 19 - 0 30 30 254 0 3 0 7 249 10897 0 0 0 11470 11470 Hour 20 - 0 23 32 234 1 0 0 0 162 10978 0 0 0 11430 11430 Hour 21 - 0 28 36 192 7 4 0 9 123 7007 0 0 0 7406 7406 Hour 22 - 0 28 28 130 0 5 0 7 199 11014 0 0 0 11411 11411 Hour 23 - 0 29 34 230 0 10 0 2 173 11170 0 4 0 11652 11648 [root@diana stryx]# /root/bin/log_activity4 "Jul 1" Banned Activity Log: Jul 1 2020 M0 - Preroute Other M1 - Preroute Frags M2 - Preroute Spoof A0 - Denied non-ICMP A1 - Denied DNS A2 - Denied ICMP C - SOFTBAN D - DNS Denied E - DNS Raw F - Other i0 - ICMP Echo i1 - ICMP Other i2 - ICMP Permitted nc - Counted nt - Total Hour xx - M0 M1 M2 A0 A1 A2 C D E F i0 i1 i2 nc nt Hour 00 - 0 24 41 87 2 0 0 0 205 11900 0 0 0 12259 12259 Hour 01 - 0 28 50 158 0 3 0 0 205 11901 0 0 0 12345 12345 Hour 02 - 0 17 39 135 1 4 0 0 179 11867 0 0 0 12242 12242 Hour 03 - 0 35 83 286 2 5 0 0 129 7282 0 0 0 7822 7822 Hour 04 - 0 31 84 145 0 2 1 0 2 303 0 0 0 568 567 Hour 05 - 0 16 36 76 0 2 0 0 3 281 0 0 0 414 414 Hour 06 - 0 20 81 163 0 2 0 0 5 310 0 0 0 581 581 Hour 07 - 0 22 34 102 4 1 0 0 9 287 0 0 0 459 459 Hour 08 - 0 26 46 151 3 1 0 0 3 319 0 0 0 549 549 Hour 09 - 0 25 38 59 0 1 0 0 3 276 0 0 0 402 402 Hour 10 - 0 32 34 133 2 7 0 0 1 278 0 0 0 487 487 Hour 11 - 0 34 35 101 0 1 0 0 6 283 0 0 0 460 460 Hour 12 - 0 24 35 142 9 4 0 0 4 296 0 0 0 514 514 Hour 13 - 0 34 39 107 4 1 0 0 4 425 0 0 0 614 614 Hour 14 - 0 24 46 117 2 5 0 0 5 280 0 0 0 479 479 Hour 15 - 0 37 47 141 0 2 0 0 1 321 0 0 0 549 549 Hour 16 - 0 27 39 73 1 2 0 0 122 6491 0 0 0 6755 6755 Hour 17 - 0 26 49 433 0 0 0 0 199 10811 0 0 0 11518 11518 Hour 18 - 0 29 47 458 0 0 0 0 140 11049 0 0 0 11723 11723 Hour 19 - 0 24 53 505 0 5 25 0 223 11030 0 0 0 11865 11840 Hour 20 - 0 26 65 2869 1 2 0 0 168 10915 0 0 0 14046 14046 Hour 21 - 0 29 68 682 2 0 0 0 175 11179 0 0 0 12135 12135 Hour 22 - 0 26 57 502 5 1 0 0 126 6123 0 0 0 6840 6840 Hour 23 - 0 34 54 433 1 1 0 0 169 11084 0 0 0 11776 11776 Analysis of the Hour 20 period shows 2850 "SESSION" "ACK" attempts suggesting a simlar number of SYN packets had to be sent to FACEBOOK, contrary no such traffick in any measure or use, and such IP ADDRESS blacklisted to prevent communication by our automation - suspending these ACK requests from even presenting as legitimate answers to SYN traffic. [root@diana biglogs]# cat /var/log/messages | grep "Jul 1 20" | grep "Major" | grep "ACK" | wc 2850 77385 745303 [root@diana biglogs]# cat /var/log/messages | grep "Jul 1 20" | grep "Major" | grep -v "ACK" | wc 113 2983 28273 In the same measure, 113 "SYN" requests in total were sent TO the server, and themed DPT 8233, a router privileged port attempt not permitted ORDINARY USE, further indicating privilege gains in the Hour 20 period (2869) traffic. These attempts exceed 1890 in the day, and are not a service offered on this target site or ordinary world wide web or SSL services. Each attempt is therefore a breach attempt. The IP sample is a DEDICATED SERVER at AMAZON TECHNOLOGIES data center allocated to SEATTLE WA, a rented dedicated computer used in this attack during firewall disruption efforts (column E and F trending traffic over 10 and 500 respectively). All traffic in hours 00-03 and 16-24 are "malicious traffic". Jul 1 20:07:30 diana kernel: *! Major Abuser !* IN=enp4s0 OUT= MAC=e0:3f:49:15:2f:c6:f8:1d:0f:96:f0:12:08:00 SRC=3.134.75.148 DST=160.3.25.238 LEN=60 TOS=0x00 PREC=0x00 TTL=42 ID=25165 DF PROTO=TCP SPT=47588 DPT=8233 WINDOW=29200 RES=0x 00 SYN URGP=0 Jul 1 20:07:32 diana kernel: *! Major Abuser !* IN=enp4s0 OUT= MAC=e0:3f:49:15:2f:c6:f8:1d:0f:96:f0:12:08:00 SRC=3.134.75.148 DST=160.3.25.238 LEN=60 TOS=0x00 PREC=0x00 TTL=42 ID=25166 DF PROTO=TCP SPT=47588 DPT=8233 WINDOW=29200 RES=0x 00 SYN URGP=0 As of 8pm CDT on Diana (server 2), we have 10,743 repeated requests from this host: Jul 1 20:59:57 diana kernel: BanPerm: IN=enp4s0 OUT= MAC=e0:3f:49:15:2f:c6:f8:1d:0f:96:f0:12:08:00 SRC=142.93.236.86 DST=160.3.25.238 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=42918 PROTO=TCP SPT=32766 DPT=26135 WINDOW=1024 RES=0x00 SYN URGP=0 Jul 1 20:59:57 diana kernel: BanPerm: IN=enp4s0 OUT= MAC=e0:3f:49:15:2f:c6:f8:1d:0f:96:f0:12:08:00 SRC=142.93.236.86 DST=160.3.25.238 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=59338 PROTO=TCP SPT=32766 DPT=10453 WINDOW=1024 RES=0x00 SYN URGP=0 Jul 1 20:59:57 diana kernel: BanPerm: IN=enp4s0 OUT= MAC=e0:3f:49:15:2f:c6:f8:1d:0f:96:f0:12:08:00 SRC=142.93.236.86 DST=160.3.25.238 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=47560 PROTO=TCP SPT=32766 DPT=4317 WINDOW=1024 RES=0x00 SYN URGP=0 Jul 1 20:59:58 diana kernel: BanPerm: IN=enp4s0 OUT= MAC=e0:3f:49:15:2f:c6:f8:1d:0f:96:f0:12:08:00 SRC=142.93.236.86 DST=160.3.25.238 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=61349 PROTO=TCP SPT=32766 DPT=27030 WINDOW=1024 RES=0x00 SYN URGP=0 Jul 1 20:59:59 diana kernel: BanPerm: IN=enp4s0 OUT= MAC=e0:3f:49:15:2f:c6:f8:1d:0f:96:f0:12:08:00 SRC=142.93.236.86 DST=160.3.25.238 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=22716 PROTO=TCP SPT=32766 DPT=3044 WINDOW=1024 RES=0x00 SYN URGP=0 Jul 1 20:59:59 diana kernel: BanPerm: IN=enp4s0 OUT= MAC=e0:3f:49:15:2f:c6:f8:1d:0f:96:f0:12:08:00 SRC=142.93.236.86 DST=160.3.25.238 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=41840 PROTO=TCP SPT=32766 DPT=32005 WINDOW=1024 RES=0x00 SYN URGP=0 Jul 1 20:59:59 diana kernel: BanPerm: IN=enp4s0 OUT= MAC=e0:3f:49:15:2f:c6:f8:1d:0f:96:f0:12:08:00 SRC=142.93.236.86 DST=160.3.25.238 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=18241 PROTO=TCP SPT=32766 DPT=47349 WINDOW=1024 RES=0x00 SYN URGP=0 Jul 1 20:59:59 diana kernel: BanPerm: IN=enp4s0 OUT= MAC=e0:3f:49:15:2f:c6:f8:1d:0f:96:f0:12:08:00 SRC=142.93.236.86 DST=160.3.25.238 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=57337 PROTO=TCP SPT=32766 DPT=54533 WINDOW=1024 RES=0x00 SYN URGP=0 Jul 1 20:59:59 diana kernel: BanPerm: IN=enp4s0 OUT= MAC=e0:3f:49:15:2f:c6:f8:1d:0f:96:f0:12:08:00 SRC=142.93.236.86 DST=160.3.25.238 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=11076 PROTO=TCP SPT=32766 DPT=3958 WINDOW=1024 RES=0x00 SYN URGP=0 Who is a DIRECT ALOCATED MACHINE in NEW YORK STATE, for DigitalOcean, LLC. [root@bunny ~]# whois 142.93.236.86 [Querying whois.arin.net] [whois.arin.net] # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/resources/registry/whois/tou/ # # If you see inaccuracies in the results, please report at # https://www.arin.net/resources/registry/whois/inaccuracy_reporting/ # # Copyright 1997-2020, American Registry for Internet Numbers, Ltd. # NetRange: 142.93.0.0 - 142.93.255.255 CIDR: 142.93.0.0/16 NetName: DIGITALOCEAN-142-93-0-0 NetHandle: NET-142-93-0-0-1 Parent: NET142 (NET-142-0-0-0-0) NetType: Direct Allocation OriginAS: AS14061 Organization: DigitalOcean, LLC (DO-13) RegDate: 2018-07-12 Updated: 2020-04-03 Comment: Routing and Peering Policy can be found at https://www.as14061.net Comment: Comment: Please submit abuse reports at https://www.digitalocean.com/company/contact/#abuse Ref: https://rdap.arin.net/registry/ip/142.93.0.0 OrgName: DigitalOcean, LLC OrgId: DO-13 Address: 101 Ave of the Americas Address: 10th Floor City: New York StateProv: NY PostalCode: 10013 Country: US RegDate: 2012-05-14 Updated: 2019-02-04 Comment: http://www.digitalocean.com Comment: Simple Cloud Hosting Ref: https://rdap.arin.net/registry/entity/DO-13 OrgNOCHandle: NOC32014-ARIN OrgNOCName: Network Operations Center OrgNOCPhone: +1-347-875-6044 OrgNOCEmail: noc@digitalocean.com OrgNOCRef: https://rdap.arin.net/registry/entity/NOC32014-ARIN OrgTechHandle: NOC32014-ARIN OrgTechName: Network Operations Center OrgTechPhone: +1-347-875-6044 OrgTechEmail: noc@digitalocean.com OrgTechRef: https://rdap.arin.net/registry/entity/NOC32014-ARIN OrgAbuseHandle: ABUSE5232-ARIN OrgAbuseName: Abuse, DigitalOcean OrgAbusePhone: +1-347-875-6044 OrgAbuseEmail: abuse@digitalocean.com OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE5232-ARIN # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/resources/registry/whois/tou/ # # If you see inaccuracies in the results, please report at # https://www.arin.net/resources/registry/whois/inaccuracy_reporting/ # # Copyright 1997-2020, American Registry for Internet Numbers, Ltd. # We also received in 60 minutes 884 requests for secure socket layer (SSL) via FACEBOOK source, as shown in: Jul 1 20:00:46 diana kernel: Major Abuser - Mangle BlackliIN=enp4s0 OUT= MAC=e0:3f:49:15:2f:c6:f8:1d:0f:96:f0:12:08:00 SRC=157.240.19.35 DST=160.3.25.238 LEN=40 TOS=0x00 PREC=0x00 TTL=89 ID=8367 DF PROTO=TCP SPT=443 DPT=49699 WINDOW=104 9 RES=0x00 ACK URGP=0 Jul 1 20:00:46 diana kernel: Major Abuser - Mangle BlackliIN=enp4s0 OUT= MAC=e0:3f:49:15:2f:c6:f8:1d:0f:96:f0:12:08:00 SRC=157.240.19.35 DST=160.3.25.238 LEN=40 TOS=0x00 PREC=0x00 TTL=89 ID=8368 DF PROTO=TCP SPT=443 DPT=49699 WINDOW=106 2 RES=0x00 ACK URGP=0 Jul 1 20:00:46 diana kernel: Major Abuser - Mangle BlackliIN=enp4s0 OUT= MAC=e0:3f:49:15:2f:c6:f8:1d:0f:96:f0:12:08:00 SRC=157.240.19.35 DST=160.3.25.238 LEN=40 TOS=0x00 PREC=0x00 TTL=89 ID=8370 DF PROTO=TCP SPT=443 DPT=49699 WINDOW=106 2 RES=0x00 ACK URGP=0 Jul 1 20:00:46 diana kernel: Major Abuser - Mangle BlackliIN=enp4s0 OUT= MAC=e0:3f:49:15:2f:c6:f8:1d:0f:96:f0:12:08:00 SRC=157.240.19.35 DST=160.3.25.238 LEN=40 TOS=0x00 PREC=0x00 TTL=89 ID=8371 DF PROTO=TCP SPT=443 DPT=49699 WINDOW=107 3 RES=0x00 ACK URGP=0 Jul 1 20:00:46 diana kernel: Major Abuser - Mangle BlackliIN=enp4s0 OUT= MAC=e0:3f:49:15:2f:c6:f8:1d:0f:96:f0:12:08:00 SRC=157.240.19.35 DST=160.3.25.238 LEN=40 TOS=0x00 PREC=0x00 TTL=89 ID=8372 DF PROTO=TCP SPT=443 DPT=49699 WINDOW=108 4 RES=0x00 ACK URGP=0 Jul 1 20:00:46 diana kernel: Major Abuser - Mangle BlackliIN=enp4s0 OUT= MAC=e0:3f:49:15:2f:c6:f8:1d:0f:96:f0:12:08:00 SRC=157.240.19.35 DST=160.3.25.238 LEN=40 TOS=0x00 PREC=0x00 TTL=89 ID=8374 DF PROTO=TCP SPT=443 DPT=49699 WINDOW=111 8 RES=0x00 ACK URGP=0 Jul 1 20:00:51 diana kernel: Major Abuser - Mangle BlackliIN=enp4s0 OUT= MAC=e0:3f:49:15:2f:c6:f8:1d:0f:96:f0:12:08:00 SRC=157.240.19.35 DST=160.3.25.238 LEN=40 TOS=0x00 PREC=0x00 TTL=89 ID=8621 DF PROTO=TCP SPT=443 DPT=49699 WINDOW=117 2 RES=0x00 ACK URGP=0 Jul 1 20:00:51 diana kernel: Major Abuser - Mangle BlackliIN=enp4s0 OUT= MAC=e0:3f:49:15:2f:c6:f8:1d:0f:96:f0:12:08:00 SRC=157.240.19.35 DST=160.3.25.238 LEN=40 TOS=0x00 PREC=0x00 TTL=89 ID=8625 DF PROTO=TCP SPT=443 DPT=49699 WINDOW=120 5 RES=0x00 ACK URGP=0 Jul 1 20:00:52 diana kernel: Major Abuser - Mangle BlackliIN=enp4s0 OUT= MAC=e0:3f:49:15:2f:c6:f8:1d:0f:96:f0:12:08:00 SRC=157.240.19.35 DST=160.3.25.238 LEN=40 TOS=0x00 PREC=0x00 TTL=89 ID=8677 DF PROTO=TCP SPT=443 DPT=49699 WINDOW=128 2 RES=0x00 ACK URGP=0 Jul 1 20:00:53 diana kernel: Major Abuser - Mangle BlackliIN=enp4s0 OUT= MAC=e0:3f:49:15:2f:c6:f8:1d:0f:96:f0:12:08:00 SRC=157.240.19.35 DST=160.3.25.238 LEN=40 TOS=0x00 PREC=0x00 TTL=89 ID=8693 DF PROTO=TCP SPT=443 DPT=49699 WINDOW=130 3 RES=0x00 ACK URGP=0 Jul 1 20:00:54 diana kernel: Major Abuser - Mangle BlackliIN=enp4s0 OUT= MAC=e0:3f:49:15:2f:c6:f8:1d:0f:96:f0:12:08:00 SRC=157.240.19.35 DST=160.3.25.238 LEN=40 TOS=0x00 PREC=0x00 TTL=89 ID=8730 DF PROTO=TCP SPT=443 DPT=49699 WINDOW=135 8 RES=0x00 ACK URGP=0 Jul 1 20:00:54 diana kernel: Major Abuser - Mangle BlackliIN=enp4s0 OUT= MAC=e0:3f:49:15:2f:c6:f8:1d:0f:96:f0:12:08:00 SRC=157.240.19.35 DST=160.3.25.238 LEN=40 TOS=0x00 PREC=0x00 TTL=89 ID=8731 DF PROTO=TCP SPT=443 DPT=49699 WINDOW=136 9 RES=0x00 ACK URGP=0 Jul 1 20:00:54 diana kernel: Major Abuser - Mangle BlackliIN=enp4s0 OUT= MAC=e0:3f:49:15:2f:c6:f8:1d:0f:96:f0:12:08:00 SRC=157.240.19.35 DST=160.3.25.238 LEN=40 TOS=0x00 PREC=0x00 TTL=89 ID=8733 DF PROTO=TCP SPT=443 DPT=49699 WINDOW=138 7 RES=0x00 ACK URGP=0 Jul 1 20:00:55 diana kernel: Major Abuser - Mangle BlackliIN=enp4s0 OUT= MAC=e0:3f:49:15:2f:c6:f8:1d:0f:96:f0:12:08:00 SRC=157.240.19.35 DST=160.3.25.238 LEN=40 TOS=0x00 PREC=0x00 TTL=89 ID=8735 DF PROTO=TCP SPT=443 DPT=49699 WINDOW=139 8 RES=0x00 ACK URGP=0 Jul 1 20:00:55 diana kernel: Major Abuser - Mangle BlackliIN=enp4s0 OUT= MAC=e0:3f:49:15:2f:c6:f8:1d:0f:96:f0:12:08:00 SRC=157.240.19.35 DST=160.3.25.238 LEN=40 TOS=0x00 PREC=0x00 TTL=89 ID=8736 DF PROTO=TCP SPT=443 DPT=49699 WINDOW=140 9 RES=0x00 ACK URGP=0 Jul 1 20:00:55 diana kernel: Major Abuser - Mangle BlackliIN=enp4s0 OUT= MAC=e0:3f:49:15:2f:c6:f8:1d:0f:96:f0:12:08:00 SRC=157.240.19.35 DST=160.3.25.238 LEN=40 TOS=0x00 PREC=0x00 TTL=89 ID=8800 DF PROTO=TCP SPT=443 DPT=49699 WINDOW=145 2 RES=0x00 ACK URGP=0 Jul 1 20:00:55 diana kernel: Major Abuser - Mangle BlackliIN=enp4s0 OUT= MAC=e0:3f:49:15:2f:c6:f8:1d:0f:96:f0:12:08:00 SRC=157.240.19.35 DST=160.3.25.238 LEN=40 TOS=0x00 PREC=0x00 TTL=89 ID=8802 DF PROTO=TCP SPT=443 DPT=49699 WINDOW=148 5 RES=0x00 ACK URGP=0 Jul 1 20:00:55 diana kernel: Major Abuser - Mangle BlackliIN=enp4s0 OUT= MAC=e0:3f:49:15:2f:c6:f8:1d:0f:96:f0:12:08:00 SRC=157.240.19.35 DST=160.3.25.238 LEN=40 TOS=0x00 PREC=0x00 TTL=89 ID=8803 DF PROTO=TCP SPT=443 DPT=49699 WINDOW=149 6 RES=0x00 ACK URGP=0 Over 30 requests from a single source excessive. Jul 1 20:11:34 diana kernel: Major Abuser - Mangle BlackliIN=enp4s0 OUT= MAC=e0:3f:49:15:2f:c6:f8:1d:0f:96:f0:12:08:00 SRC=157.240.19.19 DST=160.3.25.238 LEN=40 TOS=0x00 PREC=0x00 TTL=89 ID=13661 DF PROTO=TCP SPT=443 DPT=49749 WINDOW=11 80 RES=0x00 ACK URGP=0 Jul 1 20:11:34 diana kernel: Major Abuser - Mangle BlackliIN=enp4s0 OUT= MAC=e0:3f:49:15:2f:c6:f8:1d:0f:96:f0:12:08:00 SRC=157.240.19.19 DST=160.3.25.238 LEN=40 TOS=0x00 PREC=0x00 TTL=89 ID=13672 DF PROTO=TCP SPT=443 DPT=49749 WINDOW=11 80 RES=0x00 ACK URGP=0 Jul 1 20:11:34 diana kernel: Major Abuser - Mangle BlackliIN=enp4s0 OUT= MAC=e0:3f:49:15:2f:c6:f8:1d:0f:96:f0:12:08:00 SRC=157.240.19.19 DST=160.3.25.238 LEN=40 TOS=0x00 PREC=0x00 TTL=89 ID=13673 DF PROTO=TCP SPT=443 DPT=49749 WINDOW=11 80 RES=0x00 ACK URGP=0 Jul 1 20:11:34 diana kernel: Major Abuser - Mangle BlackliIN=enp4s0 OUT= MAC=e0:3f:49:15:2f:c6:f8:1d:0f:96:f0:12:08:00 SRC=157.240.19.19 DST=160.3.25.238 LEN=40 TOS=0x00 PREC=0x00 TTL=89 ID=13674 DF PROTO=TCP SPT=443 DPT=49749 WINDOW=11 80 RES=0x00 ACK URGP=0 Jul 1 20:11:34 diana kernel: Major Abuser - Mangle BlackliIN=enp4s0 OUT= MAC=e0:3f:49:15:2f:c6:f8:1d:0f:96:f0:12:08:00 SRC=157.240.19.19 DST=160.3.25.238 LEN=40 TOS=0x00 PREC=0x00 TTL=89 ID=13675 DF PROTO=TCP SPT=443 DPT=49749 WINDOW=11 80 RES=0x00 ACK URGP=0 Jul 1 20:11:34 diana kernel: Major Abuser - Mangle BlackliIN=enp4s0 OUT= MAC=e0:3f:49:15:2f:c6:f8:1d:0f:96:f0:12:08:00 SRC=157.240.19.19 DST=160.3.25.238 LEN=40 TOS=0x00 PREC=0x00 TTL=89 ID=13681 DF PROTO=TCP SPT=443 DPT=49749 WINDOW=11 80 RES=0x00 ACK URGP=0 Jul 1 20:11:34 diana kernel: Major Abuser - Mangle BlackliIN=enp4s0 OUT= MAC=e0:3f:49:15:2f:c6:f8:1d:0f:96:f0:12:08:00 SRC=157.240.19.19 DST=160.3.25.238 LEN=40 TOS=0x00 PREC=0x00 TTL=89 ID=13686 DF PROTO=TCP SPT=443 DPT=49749 WINDOW=11 80 RES=0x00 ACK URGP=0 Jul 1 20:11:34 diana kernel: Major Abuser - Mangle BlackliIN=enp4s0 OUT= MAC=e0:3f:49:15:2f:c6:f8:1d:0f:96:f0:12:08:00 SRC=157.240.19.19 DST=160.3.25.238 LEN=40 TOS=0x00 PREC=0x00 TTL=89 ID=13689 DF PROTO=TCP SPT=443 DPT=49749 WINDOW=11 80 RES=0x00 ACK URGP=0 Jul 1 20:11:34 diana ker And 920 from the second, matching the SSL request. This traffic is barred because the ACK state is not a real session, having no SYN session prior established, and matching a profile of abusive flood traffic, used in concert with forgery of traffic to attempt to trick the firewall software into blocking access to the 238 device - a server that DOES NOT HAVE A WEBSITE on port 443, nor recognize the DPT ports as being a LEGITIMATE AND ESTABLISHED SESSION - and thus a forged TCP packet which would impact less secure systems and routers. Ordinarily FACEBOOK would be given a pass, while we investigated this. However usage shows the traffick is a 3800 count in 20:00 to 21:00 July 1 2020, with less than 600 per hour in all other periods of measurement. This means the traffic is artificailly generated, not a function of sessions initated on our network or devices, has no correlation with active facebook use by client network or devices, and has been engaged in this case to seek to evade firewall features in Cisco and Junper Routers, despite being illegal traffic. Use of such tools in concert with clear trends against TWO distinct machines shown in the 24 hour period, in escalation and wind-down slopes, again proves a single enterprise source of the attack, and context to false claims explicitly citing the "kidnapping" of the child under Federal Criminal Complaint preceeding the disruptive effort. Such act could block replies after the posts by Paul Brooks, and does in context make the two actions statistically significant in trend analaysis of blackmail, extortion, and online criminal felony stalking described fully in Title 18 section 2261A, Federal Law. Prompted in a group on Facebook to support commercial sabotage sustaining a $24000 embezzlement of SOCIAL SECURITY EESTATE funds themed STIMULUS AND SMALL BUSINESS RELIEF during the 2020 COVID PANDEMIC. [root@bunny ~]# whois 157.240.19.35 [Querying whois.arin.net] [whois.arin.net] # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/resources/registry/whois/tou/ # # If you see inaccuracies in the results, please report at # https://www.arin.net/resources/registry/whois/inaccuracy_reporting/ # # Copyright 1997-2020, American Registry for Internet Numbers, Ltd. # NetRange: 157.240.0.0 - 157.240.255.255 CIDR: 157.240.0.0/16 NetName: THEFA-3 NetHandle: NET-157-240-0-0-1 Parent: NET157 (NET-157-0-0-0-0) NetType: Direct Assignment OriginAS: Organization: Facebook, Inc. (THEFA-3) RegDate: 2015-05-14 Updated: 2015-05-14 Ref: https://rdap.arin.net/registry/ip/157.240.0.0 OrgName: Facebook, Inc. OrgId: THEFA-3 Address: 1601 Willow Rd. City: Menlo Park StateProv: CA PostalCode: 94025 Country: US RegDate: 2004-08-11 Updated: 2012-04-17 Ref: https://rdap.arin.net/registry/entity/THEFA-3 OrgTechHandle: OPERA82-ARIN OrgTechName: Operations OrgTechPhone: +1-650-543-4800 OrgTechEmail: noc@fb.com OrgTechRef: https://rdap.arin.net/registry/entity/OPERA82-ARIN OrgAbuseHandle: OPERA82-ARIN OrgAbuseName: Operations OrgAbusePhone: +1-650-543-4800 OrgAbuseEmail: noc@fb.com OrgAbuseRef: https://rdap.arin.net/registry/entity/OPERA82-ARIN # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/resources/registry/whois/tou/ # # If you see inaccuracies in the results, please report at # https://www.arin.net/resources/registry/whois/inaccuracy_reporting/ # # Copyright 1997-2020, American Registry for Internet Numbers, Ltd. # [root@bunny ~]# whois 157.240.19.19 [Querying whois.arin.net] [whois.arin.net] # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/resources/registry/whois/tou/ # # If you see inaccuracies in the results, please report at # https://www.arin.net/resources/registry/whois/inaccuracy_reporting/ # # Copyright 1997-2020, American Registry for Internet Numbers, Ltd. # NetRange: 157.240.0.0 - 157.240.255.255 CIDR: 157.240.0.0/16 NetName: THEFA-3 NetHandle: NET-157-240-0-0-1 Parent: NET157 (NET-157-0-0-0-0) NetType: Direct Assignment OriginAS: Organization: Facebook, Inc. (THEFA-3) RegDate: 2015-05-14 Updated: 2015-05-14 Ref: https://rdap.arin.net/registry/ip/157.240.0.0 OrgName: Facebook, Inc. OrgId: THEFA-3 Address: 1601 Willow Rd. City: Menlo Park StateProv: CA PostalCode: 94025 Country: US RegDate: 2004-08-11 Updated: 2012-04-17 Ref: https://rdap.arin.net/registry/entity/THEFA-3 OrgTechHandle: OPERA82-ARIN OrgTechName: Operations OrgTechPhone: +1-650-543-4800 OrgTechEmail: domain@facebook.com OrgTechRef: https://rdap.arin.net/registry/entity/OPERA82-ARIN OrgAbuseHandle: OPERA82-ARIN OrgAbuseName: Operations OrgAbusePhone: +1-650-543-4800 OrgAbuseEmail: domain@facebook.com OrgAbuseRef: https://rdap.arin.net/registry/entity/OPERA82-ARIN # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/resources/registry/whois/tou/ # # If you see inaccuracies in the results, please report at # https://www.arin.net/resources/registry/whois/inaccuracy_reporting/ # # Copyright 1997-2020, American Registry for Internet Numbers, Ltd. #