Re: Compromized modems in Thai IP Space

[Christopher Morrow <morrowc.lists () gmail com>]

On Tue, Aug 11, 2020 at 9:31 AM JORDI PALET MARTINEZ via NANOG
<nanog () nanog org> wrote:
> I don't know what you tried in APNIC, my experience is that they are usually responding very quickly.
>
> Have you tried the abuse contacts of the ISP?

For the Thai ISP space you might also get some traction just talking
to the thai cert org.
h  ttps://www.thaicert.or.th/about-en.html

perhaps even this path:
  https://www.thaicert.or.th/report-en.html

> If they fail, have you tried to escalate to escalation-abuse () apnic net, following our abuse-mailbox proposal 
> (https://www.apnic.net/wp-content/uploads/2018/08/prop-125-v001.txt), which was adopted long time ago?
>
>  You could also try the APNIC Talk mailing list.
>
> Regards,
> Jordi
> @jordipalet
>
>
>
> El 11/8/20 15:10, "NANOG en nombre de Alexander Maassen" <nanog-bounces+jordi.palet=consulintel.es () nanog org en 
> nombre de outsider () scarynet org> escribió:
>
>     Hello folks,
>
>     Before you shoot me with 'wrong mailing list' replies, believe me, I
>     tried, THNOG is dead, APNIC ain't responding either and the ISP's over
>     there don't seem to care much. And I've been looking at this situation for
>     over 2 years now since first incident. I simply hope that with the
>     contacts you folks have due to your professions to be able to help.
>
>     So, I came across this botnet which decided to pick my IRC network as
>     control center, and I have been digging into them. It turns out that in
>     Thailand, people can easily get cloned modems in order to internet for
>     'free', it simply boils down to mac cloning, so let me spare you the
>     details. The problem is that these modems also carry a digital STD in the
>     form of additional botnet code, allowing the controllers to do, well,
>     botnet stuff.
>
>     I disabled their ability to control by glining everything on join to the
>     control channel, and since I am maintainer of DroneBL, add them to the
>     blacklist. Doing that for 2+ years now. The amount of removal requests
>     because people no longer are able to play on cncnet is amazing.
>
>     My question here kinda is, how to permanently get rid of this evil in an
>     effective way, and who to contact? (yes, I tried to get through to NOC's
>     of the affected providers), or could perhaps someone be so nice to use one
>     of their contacts in Thailand to speed things up?
>
>     Kind regards,
>
>     Alexander Maassen
>     Maintainer DroneBL
>
>
>
>
> **********************************************
> IPv4 is over
> Are you ready for the new Internet ?
> http://www.theipv6company.com
> The IPv6 Company
>
> This electronic message contains information which may be privileged or confidential. The information is intended to 
> be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, 
> distribution or use of the contents of this information, even if partially, including attached files, is strictly 
> prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any 
> disclosure, copying, distribution or use of the contents of this information, even if partially, including attached 
> files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to 
> inform about this communication and delete it.