The original post: /r/cybersecurity by /u/silentlycontinue on 2024-11-06 15:48:21.
Greetings,
I found that about 95% of failed remote VPN login traffic, about 5k daily monitored IPs, was caused by 2 subnets that seem to be managed by the same company or ISP; a /18 and a /19. The IPs rotated too frequently, each IP only making 2 login attempts, for the threat-detection authentication service to automatically shun them. So I blocked the ranges with a block list instead.
Should I submit those ranges to an Open Threat Exchange, or other threat intel service, along with an explanation of what I was seeing on the firewall? Or are such distributed brute force attacks so frequent that it would not be of interest?
_Silently
You must log in or register to comment.