Hello Bertrand, Christopher, and Everyone, I check with Shadowserver Foundation data and confirmed that there is a range of suspicious traffic on 154.212.141.0/24 & 154.221.25.0/24. Unfortunately, having lots of customers infected is normal. The key is to have the tools to see the infections on your network, minimize the risk of your customers getting infected, and letting them know that their systems are “owned.” Fortunately, The Shadowserver Foundation provide any network with an ASN and IPs (including v6) daily reports.
My recommendations: 1. Make sure your own networks are signed up for the Shadowserver Daily reports. These will give you on your network and customers, allowing you to see infected devices that might be sending out "suspicious traffic” to other networks. If this is new, check out Shadowserver Foundation’s YouTube channel: https://youtube.com/@shadowserver-foundation. 2. Contact HK CERT. Ask for their help to reach out to ASN 9465 & ASN 142403. 3. Contact ASN 9465 & ASN 142403 directly. Recommend that they sign up to Shadowserver’s daily reporting. The reports are a public benefit (free) to any network. It has always been my first security tool I get turned on to protect my networks. ASN 9465 & ASN 142403 can use the Daily Shadowserver Reports to confirm what you are seeing from their network. Let me know if the APNIC-Talk community would like an updated Shadowserver talk tuned to the community. I can pull together a quick webinar. You can then “invite ASN 9465 & ASN 142403” to join the webinar. Barry > On May 22, 2025, at 10:44 AM, Bertrand Cherrier via APNIC-talk > <[email protected]> wrote: > > Hi Chris, > > We are seeing bad traffic from the block next door as well, dictionary > attacks on ssh, same owner > > route: 154.221.25.0/24 > descr: Yisu Cloud Ltd > origin: AS142403 > mnt-by: LARUS-SERVICE-MNT > source: AFRINIC # Filtered > > > Jeu 15 mai 2025, à 14:28, Christopher Hawker a écrit : >> Hello folks, >> >> The IP address subnet 154.212.141.0/24 has sent 152 L2TP UDP packets from 55 >> different addresses over a 5-hour window to a number of addresses on an >> APNIC-delegated subnet that I manage. Apparently, this space was "delegated" >> to Cloud Innovation by AFRINIC, and shows that it's under management by >> Larus... >> >> Has anyone seen anything similar? >> >> >> Regards, >> Christopher Hawker >> >> >> _______________________________________________ >> APNIC-talk - https://mailman.apnic.net/[email protected]/ >> To unsubscribe send an email to [email protected] >> <mailto:[email protected]> > Regards, > _________________ > Bertrand Cherrier > [email protected] <mailto:[email protected]> > > _______________________________________________ > APNIC-talk - https://mailman.apnic.net/[email protected]/ > To unsubscribe send an email to [email protected]
_______________________________________________ APNIC-talk - https://mailman.apnic.net/[email protected]/ To unsubscribe send an email to [email protected]
