Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

TZ450 1000's of failed logon attempts

Over the past 24 hours or so, we have been getting bombarded by thousands of failed logon attempts to our TZ450. We have GEO-IP filter set to block everything except Canada and the US, but these attempts are coming from within them. We created rules to block the first IP address, but shortly after, the attempts started coming from a second IP. We blocked it, and the attempts started coming from a 3rd IP. We blocked it this morning, and so far the attempts have stopped. I created abuse tickets with two of the companies hosting those IPs; the third is Akamai, so… I'll refrain from submitting to them.

These are the IPs that were hitting us:

209.44.102.207 - ThinkOn via eStruxture Web

216.194.170.77 - InMotion Hosting

45.33.14.210 - Akamai

They have been hitting both our primary and secondary public IP addresses so I'll assume they got them from our DNS records for our VPN, which brings up another question. Is using public DNS for our VPN bad practice or is it common?

Category: Entry Level Firewalls
Reply
Tagged:

Answers

  • fmadiafmadia Moderator

    @James_H blocking the IPs and flagging them was the best initial approach. Our botnet filter is picking up more IPs overtime and blocking those too however if you're still facing issues with your firewall, please reach out to our Support Team to get further assistance: https://www.sonicwall.com/support/contact-support/

  • ArkwrightArkwright Community Legend ✭✭✭✭✭

    It seems like there has been an update to the tools used by hackers recently, as we're seeing similar events with different customers.

  • ArkwrightArkwright Community Legend ✭✭✭✭✭

    Turns out there are multiple threads in this forum and on Reddit about this. There is a message on the support number about this. There is a hotfix that Sonicwall built for this. But there's no sticky thread from Sonicwall in here and we haven't had an email about it? Come on!!!

  • James_HJames_H Newbie ✭

    Okay, if there is a hotfix for this, that would be great because just since last night we have been bombarded with logon attempts from the following web hosting companies. It's pretty constant right now. Are hosting companies responsible for this behavior? Should I report this to the FCC?

    38.170.231.130 - HostPapa
    54.39.18.207 - OVH SAS

    213.190.6.200 - Hostinger International Limited

    216.158.71.194 - WebNX, Inc.

    198.46.82.73 - InMotion Hosting
    173.252.167.160 - OrangeHost

    142.93.241.56 - DigitalOcean, LLC

    52.117.167.71 - SoftLayer

    Here's a sample of this.

Sign In or Register to comment.