On Tue, Mar 4, 2014 at 5:46 AM, fmm <vo...@fakmoymozg.ru> wrote: > On Tue, 04 Mar 2014 09:00:18 +0100, Jay Ashworth <j...@baylink.com> wrote: > >> >> http://arstechnica.com/security/2014/03/hackers-hijack-300000-plus-wireless-routers-make-malicious-changes/ >> >> Is there any valid reason not to black hole those /32s on the back bone? > > > >>> The telltale sign a router has been compromised is DNS settings that have >>> been changed to 5.45.75.11 and 5.45.76.36. Team Cymru researchers contacted >>> the provider that hosts those two IP addresses but have yet to receive a >>> response. > > > you wanted to say "blackhole those 5.45.72.0/22 and 5.45.76.0/22", aren't > you? > > > Cheers >
Jay is right, it is just the /32s at the moment... Dropping the /22s could cause other sites to be blocked. inetnum: 5.45.72.0 - 5.45.75.255 netname: INFERNO-NL-DE descr: ******************************************************** descr: * We provide virtual and dedicated servers on this Subnet. descr: * descr: * Those services are self managed by our customers descr: * therefore, we are not using this IP space ourselves descr: * and it could be assigned to various end customers. descr: * descr: * In case of issues related with SPAM, Fraud, descr: * Phishing, DDoS, portscans or others, descr: * feel free to contact us with relevant info descr: * and we will shut down this server: ab...@3nt.com descr: ******************************************************** country: NL admin-c: TNTS-RIPE tech-c: TNTS-RIPE status: ASSIGNED PA mnt-by: MNT-3NT mnt-routes: serverius-mnt source: RIPE # Filtered -- ~ Andrew "lathama" Latham lath...@gmail.com http://lathama.net ~
