[NeMo-DDoS-List] FW: [Geant DDoS CA Subscribers] Advice from NCSC-NL re aggressive Recyber scanning

Mon Jun 16 18:54:12 IDT 2025

-------- Forwarded Message --------
Subject: [TLP:GREEN] Scanverkeer Recyber leidt tot DoS
Date: Mon, 16 Jun 2025 12:46:00 +0000
Reply-To: Info (NCSC-NL) <info at ncsc.nl><mailto:info at ncsc.nl>
To: Info (NCSC-NL) <info at ncsc.nl><mailto:info at ncsc.nl>

Hash: SHA512

[TLP:GREEN]

(https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffirst.org%2Ftlp%2F&data=05%7C02%7Cddosca-subscribers%40lists.geant.org%7C12b911e7162b4ac5407408ddace8145e%7Cd8cc37ca6546448c83690f1026a3306b%7C0%7C0%7C638856834950903008%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=nlqF7kEPDnjSyEn22RrSaWfozbhlGYIgfDlZgUzg3mQ%3D&reserved=0<https://first.org/tlp/> <https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffirst.org%2Ftlp%2F&data=05%7C02%7Cddosca-subscribers%40lists.geant.org%7C12b911e7162b4ac5407408ddace8145e%7Cd8cc37ca6546448c83690f1026a3306b%7C0%7C0%7C638856834950924909%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=gVbOVCMMHRu7EWcdrDxGZcYAq9%2BMDeeZtCsQZnW5My4%3D&reserved=0><https://first.org/tlp/>)

** ENGLISH VERSION BELOW **
..
/snipped Dutch part
..

** ENGLISH VERSION **

Dear NCSC partner,

The NCSC would like to inform you about disruptive network scanning

activity performed by Recyber. These scanning activities caused a Denial of

Service (DoS) impact at multiple organisations. Read the section "Course of

action" below for more information about how you can mitigate disruptions

on your network.

=== Facts ===

* In the past few weeks, the NCSC received multiple reports from

(inter)national partners about disruptive network scanning behaviour

originating from infrastructure of Recyber. The amount of network traffic

caused a DoS impact at multiple organisations. This caused some systems or

networks to be unresponsive for a short amount of time.

* In all cases, the Transmission Control Protocol (TCP) was used to carry

out port scans. These scans were performed in parallel by multiple IP

addresses owned by Recyber. The scans targeted, among other things, common

web application ports. Organisations reported a traffic volume that, at

their peak, exceeded 3 million flows per second.

* Recyber offers an opt-out to organisations that don't want their networks

scanned. [1] However, multiple organisations indicated that Recyber does

not honour these opt-outs.

* The NCSC is not aware of Dutch organisations that use Recyber's services.

* The NCSC requested Recyber to reduce the amount of network scanning

traffic that they send to networks. As of yet, Recyber has not replied to

this request.

* The NCSC also asked Recyber's hosting provider to intervene. The hosting

provider has not yet took appropriate action based on this request.

* Given the persistent scanning behaviour of Recyber, the NCSC published

this e-mail to inform its partners.

=== Interpretation ===

* Various service providers perform network scans for legitimate purposes.

The results can then be used by organisation to, for example, map their

attack surface or as part of vulnerability management. Similarly, security

researchers and CERTs can use scan results to identify vulnerable systems

and to notify their respective owners.

* Although network scanning on itself is not illegal or disruptive,

excessive scanning might be. When performing excessive scans, systems might

get overloaded, as is sometimes the cases for scans carried out by Recyber.

=== Course of action ===

* On network edges, block all traffic originating from Recyber's IP

addresses. A list of Recyber related IP addresses is provided in the

attachment of this e-mail.

* Configure rate limiting for incoming network traffic. This limits the

impact of excessive network scanning on underlying systems.

* More information about protecting your systems against DoS attacks is

available on our website (in Dutch). [2]

[1] https[://]www[.]recyber[.]net

[2] https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ncsc.nl%2Fwat-kun-je-zelf-doen%2Fdreiging%2Fddos&data=05%7C02%7Cddosca-subscribers%40lists.geant.org%7C12b911e7162b4ac5407408ddace8145e%7Cd8cc37ca6546448c83690f1026a3306b%7C0%7C0%7C638856834950938334%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=FePisSCx9EEYwNKkaRr0c2UJp%2BMwusYiT7IK6OfZRmA%3D&reserved=0<https://www.ncsc.nl/wat-kun-je-zelf-doen/dreiging/ddos> <https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ncsc.nl%2Fwat-kun-je-zelf-doen%2Fdreiging%2Fddos&data=05%7C02%7Cddosca-subscribers%40lists.geant.org%7C12b911e7162b4ac5407408ddace8145e%7Cd8cc37ca6546448c83690f1026a3306b%7C0%7C0%7C638856834950950859%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=TDd8IzOlF6bn%2BB2stxXFnwcnD8RshKSx%2BgnwLV5R4OU%3D&reserved=0><https://www.ncsc.nl/wat-kun-je-zelf-doen/dreiging/ddos>

[/TLP:GREEN]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nocvm.iucc.ac.il/pipermail/nemo-ddos-list/attachments/20250616/a4334eb1/attachment-0001.htm>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Recyber_ip_adresses.txt
URL: <http://nocvm.iucc.ac.il/pipermail/nemo-ddos-list/attachments/20250616/a4334eb1/attachment-0001.txt>