Re: Attacks from poneytelecom.eu

[Fredrik Korsbäck <hugge () nordu net>]

Depends on what "legitimate" means.

We have a decent amount of traffic to the network (like 2Gbps sustained in any afternoon). Its typically a mix of 
bittorrent, tor-relay traffic, ftp-transfers and of course the expected scanners, malware-hosts, ddos-bots and such.

For me Poney/Illiad/Online.net/Scaleway has always been a bulletproof hoster (or bulletproof transit even), the response 
to abuse has always been NIL. I know tons of my customers just blocks out their whole ip-ranges in their SIP-servers and 
email-machines to lessen the white-noise.

However - judging from the Online.net website it atleast seems that they are trying to up their game and look like 
something that would be attractive to a legitimate business to consider. On the other hand, looking at 
http://as12876.net/  it looks more like something that would rather fit as a place where i put the shady stuff, so not 
sure where on the map they fall these days.



> AS12876 is online.net... home of the €2.99 physical server, perfect for all of your favorite illegitimate activity. I’m 
> curious how much traffic originates from that ASN that is actually legitimate... probably close to none.
>
> Sent from my iPhone
>
> > On Jan 3, 2018, at 1:35 AM, Troy Mursch <troy () wolvtech com> wrote:
> >
> > Dovid,
> >
> > Back in September, I documented my poor experience with AS12876 here:
> > https://badpackets.net/ongoing-large-scale-sip-attack-
> > campaign-coming-from-online-sas-as12876/
> > Since then, their handling of abuse notifications (or lack thereof) has
> > largely remained the same. The volume of malicious traffic from their
> > network hasn't decreased either.
> >
> > As you noted, others have reported similar issues with AS12876, including
> > my associate Dr. Neal Krawetz: https://twitter.com/h
> > ackerfactor/status/932593355648667649. I've also compiled a list of
> > complaints regarding AS12876 in this thread: https://twitter.com/ba
> > d_packets/status/937220987371732992
> >
> >
> > Thanks,
> > __
> >
> > *Troy Mursch*
> >
> > @bad_packets <https://twitter.com/bad_packets>
> >
> > > On Tue, Jan 2, 2018 at 6:51 PM, Dovid Bender <dovid () telecurve com> wrote:
> > >
> > > Hi All,
> > >
> > > Lately we have seen a lot of attacks from IPs where the PTR record ends in
> > > poneytelecom.eu to PBX systems. A quick search on twitter (
> > > https://twitter.com/hashtag/poneytelecom) shows multiple people
> > > complaining
> > > that they reported the IP's yet nothing happens. Has anyone had the
> > > pleasure of dealing with them and have you gotten anywhere? I wonder if the
> > > only option is public shaming.
> > >
> > > I would rather not ban their AS as it may hurt legit traffic but I am out
> > > of ideas at this point....
> > >
> > > TIA.
> > >
> > > Dovid


--
hugge