Re: Suspicious IP reporting

["J. Hellenthal via NANOG" <nanog () nanog org>]

And just like deploying IoT devices in vehicles without proper security preparations will lead you to a C&C network … 
just saying the hammer swings both ways here and getting a IP reported isn’t going to do you any damn good at ALL.

Personally I’d rip those IoT vehicles off the market for a recall but I suspect we’ll be hearing of that in the not to 
distant future.

So in hindsight why don’t we just close down this thread here.

> On Feb 5, 2021, at 08:50, Joe <jbfixurpc () gmail com> wrote:
>
> Much like your banning of an email address is an ability you have with your provider (gmail), you should have the 
> same abilities with your cellular provider for an IP address. 
> I would think (at a minimum) you would be able to negotiate such an action with them, perhaps it is time to 
> re-negotiate that contract?
> If your simply trying to report an offending IP for brute force stuff perhaps the tact you may find more helpful is 
> to ask for a contact at xzy ISP on list, versus asking folks to do reporting for you. As well there are like 100s of 
> lists to report this to outside of NANOG  
> As well, if I am reading this correctly, deployment of devices that have public facing IPs and do not have a means to 
> protect themselves is concerning to say the least. 
> This is about as reckless as putting up a login page without a password and crying foul when something gains access 
> that you didn't expect. Again, I do not know all of the details of this so I may be way off base with that respect. 
>
> If your ability to prevent issues is due to lack of a firewall/control to your network, possibly asking for help in 
> mitigating such threats would be better, as there are a lot of very well versed/clever folks that help out.
> Regards,
> -Joe
>
>
> On Thu, Feb 4, 2021 at 7:17 PM JoeSox <joesox () gmail com> wrote:
> Ryan,
> Thanks but like I said these devices are in moving vehicles ok?
> I stated we have a plan but it is ways out.  
> FACT: we have a known malicious C&C
> FACT: We know what networks it is hitting and the cellular network is the most vulnerable, imo.
> FACT: this IP is against Verizon terms of service so the way to address it is to report it to them as they request.
>
> I honestly got what I needed from this thread, thanks. And I thank the nonbullies that helped me off list.
> --
> Thank You,
> Joe 
>
>
> On Thu, Feb 4, 2021 at 5:11 PM Ryan Hamel <administrator () rkhtech org> wrote:
> Joe,
>
>  
>
> It isn’t on Verizon to setup a firewall, especially if you have a direct public IP service. The device being attached 
> directly to the Internet (no matter the transmission medium), must be able to protect itself. ISPs provide routers 
> which function as a NAT/Firewall appliance, to provide a means of safety and convenience for them, but also charge 
> you a rental fee.
>
>  
>
> Stick a Cradlepoint router or something in front of your device, if you want an external means of protection. 
> Otherwise you’ll need to enable the Windows Firewall if it’s a Windows system, or setup iptables on Linux, ipfw/pf on 
> *BSD, etc.
>
>  
>
> Ryan
>
>  
>
> From: JoeSox <joesox () gmail com> 
> Sent: Thursday, February 4, 2021 5:04 PM
> To: ryan () rkhtech org
> Cc: TJ Trout <tj () pcguys us>; NANOG <nanog () nanog org>
> Subject: Re: Suspicious IP reporting
>
>  
>
> How do I setup a firewall when I am not a Verizon engineer?
>
> There is a firewall via the antivirus and operating system but that's it.
>
> Do you not understand my issue? I thought that is the real problem with the online bullies in this thread.
>
> --
>
> Thank You,
>
> Joe
>
>  
>
>  
>
> On Thu, Feb 4, 2021 at 5:01 PM Ryan Hamel <administrator () rkhtech org> wrote:
>
> Joe,
>
>  
>
> The underlying premise here is, “pick your battles”. If you don’t want an IP address to access your device in anyway, 
> setup a firewall and properly configure it to accept whitelisted traffic only, or just expose a VPN endpoint. The 
> Internet is full of both good and bad actors that probe and scan anything and everything.
>
>  
>
> While some appreciate the notification here, others will find it annoying. We cannot report anything malicious about 
> an IP address on the Internet, unless it does harm to us specifically, otherwise it is false reporting and does 
> create more noise at the ISP, and waste more time getting to the underlying issue.
>
>  
>
> Ryan
>
>  
>
> From: NANOG <nanog-bounces+ryan=rkhtech.org () nanog org> On Behalf Of JoeSox
> Sent: Thursday, February 4, 2021 4:41 PM
> To: TJ Trout <tj () pcguys us>
> Cc: NANOG <nanog () nanog org>
> Subject: Re: Suspicious IP reporting
>
>  
>
> Do others see this online bully started by Tom? The leader has spoken so the minions follow :)
>
> This list  sometimes LOL
>
> I think if everyone gets off their high horse, the list communication would be less noisy for the list veterans.
>
> --
>
> Thank You,
>
> Joe
>
>  
>
>  
>
> On Thu, Feb 4, 2021 at 4:36 PM TJ Trout <tj () pcguys us> wrote:
>
> This seems like a highly suspect request coming from a North American network operator...? 
>
>  
>
>  
>
> On Thu, Feb 4, 2021 at 10:23 AM JoeSox <joesox () gmail com> wrote:
>
>  
>
> This IP is hitting devices on cellular networks for the past day or so.
>
>   https://www.abuseipdb.com/whois/79.124.62.86  
>
> I think this is the info to report it to the ISP.  Any help or if everyone can report it, I would be a happy camper.
>
>  
>
> abuse () 4cloud mobi; abuse () fiberinternet bg
>
>  
>
> https://en.asytech.cn/check-ip/79.124.62.25#gsc.tab=0
>
>  
>
> --
>
> Thank You,
>
> Joe


-- 

J. Hellenthal

The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.