RE: Suspicious IP reporting

[Jean St-Laurent via NANOG <nanog () nanog org>]

Hi Joe & Joe,

 

I’m not sure which Joe is the original Joe anymore, but I like this reply better than the previous one. 

It feels more informative and more useful to the community.

 

I just stumbled on this article.

https://www.zdnet.com/article/google-chrome-syncing-features-can-be-abused-for-c-c-and-data-exfiltration/

 

Could it be that what the OP observed is link to a browser vulnerability started to be exploited recently?

 

Cheers,
Jean

 

From: NANOG <nanog-bounces+jean=ddostest.me () nanog org> On Behalf Of Joe
Sent: February 5, 2021 9:51 AM
To: JoeSox <joesox () gmail com>
Cc: NANOG <nanog () nanog org>
Subject: Re: Suspicious IP reporting

 

Much like your banning of an email address is an ability you have with your provider (gmail), you should have the same 
abilities with your cellular provider for an IP address. 

I would think (at a minimum) you would be able to negotiate such an action with them, perhaps it is time to 
re-negotiate that contract?

If your simply trying to report an offending IP for brute force stuff perhaps the tact you may find more helpful is to 
ask for a contact at xzy ISP on list, versus asking folks to do reporting for you. As well there are like 100s of lists 
to report this to outside of NANOG  

As well, if I am reading this correctly, deployment of devices that have public facing IPs and do not have a means to 
protect themselves is concerning to say the least. 

This is about as reckless as putting up a login page without a password and crying foul when something gains access 
that you didn't expect. Again, I do not know all of the details of this so I may be way off base with that respect. 

 

If your ability to prevent issues is due to lack of a firewall/control to your network, possibly asking for help in 
mitigating such threats would be better, as there are a lot of very well versed/clever folks that help out.

Regards,


-Joe

 

 

On Thu, Feb 4, 2021 at 7:17 PM JoeSox <joesox () gmail com <mailto:joesox () gmail com> > wrote:

Ryan,

Thanks but like I said these devices are in moving vehicles ok?

I stated we have a plan but it is ways out.  

FACT: we have a known malicious C&C

FACT: We know what networks it is hitting and the cellular network is the most vulnerable, imo.

FACT: this IP is against Verizon terms of service so the way to address it is to report it to them as they request.

 

I honestly got what I needed from this thread, thanks. And I thank the nonbullies that helped me off list.

--

Thank You,

Joe 

 

 

On Thu, Feb 4, 2021 at 5:11 PM Ryan Hamel <administrator () rkhtech org <mailto:administrator () rkhtech org> > wrote:

Joe,

 

It isn’t on Verizon to setup a firewall, especially if you have a direct public IP service. The device being attached 
directly to the Internet (no matter the transmission medium), must be able to protect itself. ISPs provide routers 
which function as a NAT/Firewall appliance, to provide a means of safety and convenience for them, but also charge you 
a rental fee.

 

Stick a Cradlepoint router or something in front of your device, if you want an external means of protection. Otherwise 
you’ll need to enable the Windows Firewall if it’s a Windows system, or setup iptables on Linux, ipfw/pf on *BSD, etc.

 

Ryan

 

From: JoeSox <joesox () gmail com <mailto:joesox () gmail com> > 
Sent: Thursday, February 4, 2021 5:04 PM
To: ryan () rkhtech org <mailto:ryan () rkhtech org> 
Cc: TJ Trout <tj () pcguys us <mailto:tj () pcguys us> >; NANOG <nanog () nanog org <mailto:nanog () nanog org> >
Subject: Re: Suspicious IP reporting

 

How do I setup a firewall when I am not a Verizon engineer?

There is a firewall via the antivirus and operating system but that's it.

Do you not understand my issue? I thought that is the real problem with the online bullies in this thread.


--

Thank You,

Joe

 

 

On Thu, Feb 4, 2021 at 5:01 PM Ryan Hamel <administrator () rkhtech org <mailto:administrator () rkhtech org> > wrote:

Joe,

 

The underlying premise here is, “pick your battles”. If you don’t want an IP address to access your device in anyway, 
setup a firewall and properly configure it to accept whitelisted traffic only, or just expose a VPN endpoint. The 
Internet is full of both good and bad actors that probe and scan anything and everything.

 

While some appreciate the notification here, others will find it annoying. We cannot report anything malicious about an 
IP address on the Internet, unless it does harm to us specifically, otherwise it is false reporting and does create 
more noise at the ISP, and waste more time getting to the underlying issue.

 

Ryan

 

From: NANOG <nanog-bounces+ryan=rkhtech.org () nanog org <mailto:rkhtech.org () nanog org> > On Behalf Of JoeSox
Sent: Thursday, February 4, 2021 4:41 PM
To: TJ Trout <tj () pcguys us <mailto:tj () pcguys us> >
Cc: NANOG <nanog () nanog org <mailto:nanog () nanog org> >
Subject: Re: Suspicious IP reporting

 

Do others see this online bully started by Tom? The leader has spoken so the minions follow :)

This list  sometimes LOL

I think if everyone gets off their high horse, the list communication would be less noisy for the list veterans.


--

Thank You,

Joe

 

 

On Thu, Feb 4, 2021 at 4:36 PM TJ Trout <tj () pcguys us <mailto:tj () pcguys us> > wrote:

This seems like a highly suspect request coming from a North American network operator...? 

 

 

On Thu, Feb 4, 2021 at 10:23 AM JoeSox <joesox () gmail com <mailto:joesox () gmail com> > wrote:

 

This IP is hitting devices on cellular networks for the past day or so.

  https://www.abuseipdb.com/whois/79.124.62.86  

I think this is the info to report it to the ISP.  Any help or if everyone can report it, I would be a happy camper.

 

abuse () 4cloud mobi <mailto:abuse () 4cloud mobi> ; abuse () fiberinternet bg <mailto:abuse () fiberinternet bg> 

 

https://en.asytech.cn/check-ip/79.124.62.25#gsc.tab=0

 

--

Thank You,

Joe