NAT VM abusing resources

[FlorinMarian]

Hi, guys!
I encounter an unpredictibile situation on my small business.
After selling over 100 NAT IPv4 VMs with 50 public ports each and /64 IPv6, I've started to receive abuse reports on NAT IPv4 which says that one of my customer scans random hosts for weak passwords and things like this.
Because exit port on my IPv4 is a temporary one (52xxx), how can I find who's abuser?
Any tip is welcome.
Thank you!

 

[oguz]

hi,

After selling over 100 NAT IPv4 VMs with 50 public ports each and /64 IPv6, I've started to receive abuse reports on NAT IPv4 which says that one of my customer scans random hosts for weak passwords and things like this.

you can try capturing packets on the host wherever the abuse was reported, and figure out who's doing it by analyzing the packet logs.

if it's scanning activity, then you could look for outbound connections to a lot of hosts... maybe on SSH or SMTP ports (common targets).

keep in mind the "abuser" might also be just some server that was compromised (weak passwords? ) and now being used to attack others.

 

[FlorinMarian]

hi,


you can try capturing packets on the host wherever the abuse was reported, and figure out who's doing it by analyzing the packet logs.

if it's scanning activity, then you could look for outbound connections to a lot of hosts... maybe on SSH or SMTP ports (common targets).

keep in mind the "abuser" might also be just some server that was compromised (weak passwords? ) and now being used to attack others.

Thank you. Opted to refund all NAT LXC containers which were unable to pay extra for dedicated IP address because it was too difficult to identify abuser and I was very close to lose my whole rented /24 subnet.
Best regards, Florin.