RE: Suspicious IP reporting
Hi Joe & Joe, I’m not sure which Joe is the original Joe anymore, but I like this reply better than the previous one. It feels more informative and more useful to the community. I just stumbled on this article. https://www.zdnet.com/article/google-chrome-syncing-features-can-be-abused-for-c-c-and-data-exfiltration/ Could it be that what the OP observed is link to a browser vulnerability started to be exploited recently? Cheers, Jean From: NANOG On Behalf Of Joe Sent: February 5, 2021 9:51 AM To: JoeSox Cc: NANOG Subject: Re: Suspicious IP reporting Much like your banning of an email address is an ability you have with your provider (gmail), you should have the same abilities with your cellular provider for an IP address. I would think (at a minimum) you would be able to negotiate such an action with them, perhaps it is time to re-negotiate that contract? If your simply trying to report an offending IP for brute force stuff perhaps the tact you may find more helpful is to ask for a contact at xzy ISP on list, versus asking folks to do reporting for you. As well there are like 100s of lists to report this to outside of NANOG As well, if I am reading this correctly, deployment of devices that have public facing IPs and do not have a means to protect themselves is concerning to say the least. This is about as reckless as putting up a login page without a password and crying foul when something gains access that you didn't expect. Again, I do not know all of the details of this so I may be way off base with that respect. If your ability to prevent issues is due to lack of a firewall/control to your network, possibly asking for help in mitigating such threats would be better, as there are a lot of very well versed/clever folks that help out. Regards, -Joe On Thu, Feb 4, 2021 at 7:17 PM JoeSox mailto:joe...@gmail.com> > wrote: Ryan, Thanks but like I said these devices are in moving vehicles ok? I stated we have a plan but it is ways out. FACT: we have a known malicious C FACT: We know what networks it is hitting and the cellular network is the most vulnerable, imo. FACT: this IP is against Verizon terms of service so the way to address it is to report it to them as they request. I honestly got what I needed from this thread, thanks. And I thank the nonbullies that helped me off list. -- Thank You, Joe On Thu, Feb 4, 2021 at 5:11 PM Ryan Hamel mailto:administra...@rkhtech.org> > wrote: Joe, It isn’t on Verizon to setup a firewall, especially if you have a direct public IP service. The device being attached directly to the Internet (no matter the transmission medium), must be able to protect itself. ISPs provide routers which function as a NAT/Firewall appliance, to provide a means of safety and convenience for them, but also charge you a rental fee. Stick a Cradlepoint router or something in front of your device, if you want an external means of protection. Otherwise you’ll need to enable the Windows Firewall if it’s a Windows system, or setup iptables on Linux, ipfw/pf on *BSD, etc. Ryan From: JoeSox mailto:joe...@gmail.com> > Sent: Thursday, February 4, 2021 5:04 PM To: r...@rkhtech.org <mailto:r...@rkhtech.org> Cc: TJ Trout mailto:t...@pcguys.us> >; NANOG mailto:nanog@nanog.org> > Subject: Re: Suspicious IP reporting How do I setup a firewall when I am not a Verizon engineer? There is a firewall via the antivirus and operating system but that's it. Do you not understand my issue? I thought that is the real problem with the online bullies in this thread. -- Thank You, Joe On Thu, Feb 4, 2021 at 5:01 PM Ryan Hamel mailto:administra...@rkhtech.org> > wrote: Joe, The underlying premise here is, “pick your battles”. If you don’t want an IP address to access your device in anyway, setup a firewall and properly configure it to accept whitelisted traffic only, or just expose a VPN endpoint. The Internet is full of both good and bad actors that probe and scan anything and everything. While some appreciate the notification here, others will find it annoying. We cannot report anything malicious about an IP address on the Internet, unless it does harm to us specifically, otherwise it is false reporting and does create more noise at the ISP, and waste more time getting to the underlying issue. Ryan From: NANOG mailto:rkhtech@nanog.org> > On Behalf Of JoeSox Sent: Thursday, February 4, 2021 4:41 PM To: TJ Trout mailto:t...@pcguys.us> > Cc: NANOG mailto:nanog@nanog.org> > Subject: Re: Suspicious IP reporting Do others see this online bully started by Tom? The leader has spoken so the minions follow :) This list sometimes LOL I think if everyone gets off their high horse, the list communication would be less noisy for the list veterans. -- Thank You, Joe On Thu, Feb 4, 2021 at 4:
Re: Suspicious IP reporting
Let's assume that I submitted an abuse report on your behalf. I'm not going to do it on behalf of my company; I'm not seeing this issue. So I'd have to do it in a personal capacity. Who do I report it to? Let's say my ISP is Charter, and my cell provider is AT Reporting to either one would not provide you any benefit, since you are seeing the suspect traffic to you via Verizon. Let's assume I file the reports anyways. What do I say? I haven't seen the traffic in question, so I have no idea what it is. I can't provide any specifics in my abuse report that would be helpful. I'm certainly not going to just copypasta some information from abusedbip; I can't speak to the accuracy of anything there. Finally, I'm just another guy on the list, nobody special. I certainly don't feel that there was any bullying involved on my part or others, but I won't comment further; the intensity of your reaction would lead me to believe it would be unproductive. Best of luck in addressing your issues. On Thu, Feb 4, 2021 at 8:17 PM JoeSox wrote: > Ryan, > Thanks but like I said these devices are in moving vehicles ok? > I stated we have a plan but it is ways out. > FACT: we have a known malicious C > FACT: We know what networks it is hitting and the cellular network is the > most vulnerable, imo. > FACT: this IP is against Verizon terms of service so the way to address it > is to report it to them as they request. > > I honestly got what I needed from this thread, thanks. And I thank the > nonbullies that helped me off list. > -- > Thank You, > Joe > > > On Thu, Feb 4, 2021 at 5:11 PM Ryan Hamel > wrote: > >> Joe, >> >> >> >> It isn’t on Verizon to setup a firewall, especially if you have a direct >> public IP service. The device being attached directly to the Internet (no >> matter the transmission medium), must be able to protect itself. ISPs >> provide routers which function as a NAT/Firewall appliance, to provide a >> means of safety and convenience for them, but also charge you a rental fee. >> >> >> >> Stick a Cradlepoint router or something in front of your device, if you >> want an external means of protection. Otherwise you’ll need to enable the >> Windows Firewall if it’s a Windows system, or setup iptables on Linux, >> ipfw/pf on *BSD, etc. >> >> >> >> Ryan >> >> >> >> *From:* JoeSox >> *Sent:* Thursday, February 4, 2021 5:04 PM >> *To:* r...@rkhtech.org >> *Cc:* TJ Trout ; NANOG >> *Subject:* Re: Suspicious IP reporting >> >> >> >> How do I setup a firewall when I am not a Verizon engineer? >> >> There is a firewall via the antivirus and operating system but that's it. >> >> Do you not understand my issue? I thought that is the real problem with >> the online bullies in this thread. >> >> -- >> >> Thank You, >> >> Joe >> >> >> >> >> >> On Thu, Feb 4, 2021 at 5:01 PM Ryan Hamel >> wrote: >> >> Joe, >> >> >> >> The underlying premise here is, “pick your battles”. If you don’t want an >> IP address to access your device in anyway, setup a firewall and properly >> configure it to accept whitelisted traffic only, or just expose a VPN >> endpoint. The Internet is full of both good and bad actors that probe and >> scan anything and everything. >> >> >> >> While some appreciate the notification here, others will find it >> annoying. We cannot report anything malicious about an IP address on the >> Internet, unless it does harm to us specifically, otherwise it is false >> reporting and does create more noise at the ISP, and waste more time >> getting to the underlying issue. >> >> >> >> Ryan >> >> >> >> *From:* NANOG *On Behalf Of * >> JoeSox >> *Sent:* Thursday, February 4, 2021 4:41 PM >> *To:* TJ Trout >> *Cc:* NANOG >> *Subject:* Re: Suspicious IP reporting >> >> >> >> Do others see this online bully started by Tom? The leader has spoken so >> the minions follow :) >> >> This list sometimes LOL >> >> I think if everyone gets off their high horse, the list communication >> would be less noisy for the list veterans. >> >> -- >> >> Thank You, >> >> Joe >> >> >> >> >> >> On Thu, Feb 4, 2021 at 4:36 PM TJ Trout wrote: >> >> This seems like a highly suspect request coming from a North American >> network operator...? >> >> >> >> >> >> On Thu, Feb 4, 2021 at 10:23 AM JoeSox wrote: >> >> >> >> This IP is hitting devices on cellular networks for the past day or so. >> >> https://www.abuseipdb.com/whois/79.124.62.86 >> >> I think this is the info to report it to the ISP. Any help or if >> everyone can report it, I would be a happy camper. >> >> >> >> ab...@4cloud.mobi; ab...@fiberinternet.bg >> >> >> >> https://en.asytech.cn/check-ip/79.124.62.25#gsc.tab=0 >> >> >> >> -- >> >> Thank You, >> >> Joe >> >>
Re: Suspicious IP reporting
Sorry wasn’t meant directly aimed at you… unless you are the same person \? > On Feb 5, 2021, at 09:12, J. Hellenthal wrote: > > And just like deploying IoT devices in vehicles without proper security > preparations will lead you to a C network … just saying the hammer swings > both ways here and getting a IP reported isn’t going to do you any damn good > at ALL. > > Personally I’d rip those IoT vehicles off the market for a recall but I > suspect we’ll be hearing of that in the not to distant future. > > So in hindsight why don’t we just close down this thread here. > >> On Feb 5, 2021, at 08:50, Joe wrote: >> >> Much like your banning of an email address is an ability you have with your >> provider (gmail), you should have the same abilities with your cellular >> provider for an IP address. >> I would think (at a minimum) you would be able to negotiate such an action >> with them, perhaps it is time to re-negotiate that contract? >> If your simply trying to report an offending IP for brute force stuff >> perhaps the tact you may find more helpful is to ask for a contact at xzy >> ISP on list, versus asking folks to do reporting for you. As well there are >> like 100s of lists to report this to outside of NANOG >> As well, if I am reading this correctly, deployment of devices that have >> public facing IPs and do not have a means to protect themselves is >> concerning to say the least. >> This is about as reckless as putting up a login page without a password and >> crying foul when something gains access that you didn't expect. Again, I do >> not know all of the details of this so I may be way off base with that >> respect. >> >> If your ability to prevent issues is due to lack of a firewall/control to >> your network, possibly asking for help in mitigating such threats would be >> better, as there are a lot of very well versed/clever folks that help out. >> Regards, >> -Joe >> >> >> On Thu, Feb 4, 2021 at 7:17 PM JoeSox wrote: >> Ryan, >> Thanks but like I said these devices are in moving vehicles ok? >> I stated we have a plan but it is ways out. >> FACT: we have a known malicious C >> FACT: We know what networks it is hitting and the cellular network is the >> most vulnerable, imo. >> FACT: this IP is against Verizon terms of service so the way to address it >> is to report it to them as they request. >> >> I honestly got what I needed from this thread, thanks. And I thank the >> nonbullies that helped me off list. >> -- >> Thank You, >> Joe >> >> >> On Thu, Feb 4, 2021 at 5:11 PM Ryan Hamel wrote: >> Joe, >> >> >> >> It isn’t on Verizon to setup a firewall, especially if you have a direct >> public IP service. The device being attached directly to the Internet (no >> matter the transmission medium), must be able to protect itself. ISPs >> provide routers which function as a NAT/Firewall appliance, to provide a >> means of safety and convenience for them, but also charge you a rental fee. >> >> >> >> Stick a Cradlepoint router or something in front of your device, if you want >> an external means of protection. Otherwise you’ll need to enable the Windows >> Firewall if it’s a Windows system, or setup iptables on Linux, ipfw/pf on >> *BSD, etc. >> >> >> >> Ryan >> >> >> >> From: JoeSox >> Sent: Thursday, February 4, 2021 5:04 PM >> To: r...@rkhtech.org >> Cc: TJ Trout ; NANOG >> Subject: Re: Suspicious IP reporting >> >> >> >> How do I setup a firewall when I am not a Verizon engineer? >> >> There is a firewall via the antivirus and operating system but that's it. >> >> Do you not understand my issue? I thought that is the real problem with the >> online bullies in this thread. >> >> -- >> >> Thank You, >> >> Joe >> >> >> >> >> >> On Thu, Feb 4, 2021 at 5:01 PM Ryan Hamel wrote: >> >> Joe, >> >> >> >> The underlying premise here is, “pick your battles”. If you don’t want an IP >> address to access your device in anyway, setup a firewall and properly >> configure it to accept whitelisted traffic only, or just expose a VPN >> endpoint. The Internet is full of both good and bad actors that probe and >> scan anything and everything. >> >> >> >> While some appreciate the notification here, others will find it annoying. >> We cannot report
Re: Suspicious IP reporting
And just like deploying IoT devices in vehicles without proper security preparations will lead you to a C network … just saying the hammer swings both ways here and getting a IP reported isn’t going to do you any damn good at ALL. Personally I’d rip those IoT vehicles off the market for a recall but I suspect we’ll be hearing of that in the not to distant future. So in hindsight why don’t we just close down this thread here. > On Feb 5, 2021, at 08:50, Joe wrote: > > Much like your banning of an email address is an ability you have with your > provider (gmail), you should have the same abilities with your cellular > provider for an IP address. > I would think (at a minimum) you would be able to negotiate such an action > with them, perhaps it is time to re-negotiate that contract? > If your simply trying to report an offending IP for brute force stuff perhaps > the tact you may find more helpful is to ask for a contact at xzy ISP on > list, versus asking folks to do reporting for you. As well there are like > 100s of lists to report this to outside of NANOG > As well, if I am reading this correctly, deployment of devices that have > public facing IPs and do not have a means to protect themselves is concerning > to say the least. > This is about as reckless as putting up a login page without a password and > crying foul when something gains access that you didn't expect. Again, I do > not know all of the details of this so I may be way off base with that > respect. > > If your ability to prevent issues is due to lack of a firewall/control to > your network, possibly asking for help in mitigating such threats would be > better, as there are a lot of very well versed/clever folks that help out. > Regards, > -Joe > > > On Thu, Feb 4, 2021 at 7:17 PM JoeSox wrote: > Ryan, > Thanks but like I said these devices are in moving vehicles ok? > I stated we have a plan but it is ways out. > FACT: we have a known malicious C > FACT: We know what networks it is hitting and the cellular network is the > most vulnerable, imo. > FACT: this IP is against Verizon terms of service so the way to address it is > to report it to them as they request. > > I honestly got what I needed from this thread, thanks. And I thank the > nonbullies that helped me off list. > -- > Thank You, > Joe > > > On Thu, Feb 4, 2021 at 5:11 PM Ryan Hamel wrote: > Joe, > > > > It isn’t on Verizon to setup a firewall, especially if you have a direct > public IP service. The device being attached directly to the Internet (no > matter the transmission medium), must be able to protect itself. ISPs provide > routers which function as a NAT/Firewall appliance, to provide a means of > safety and convenience for them, but also charge you a rental fee. > > > > Stick a Cradlepoint router or something in front of your device, if you want > an external means of protection. Otherwise you’ll need to enable the Windows > Firewall if it’s a Windows system, or setup iptables on Linux, ipfw/pf on > *BSD, etc. > > > > Ryan > > > > From: JoeSox > Sent: Thursday, February 4, 2021 5:04 PM > To: r...@rkhtech.org > Cc: TJ Trout ; NANOG > Subject: Re: Suspicious IP reporting > > > > How do I setup a firewall when I am not a Verizon engineer? > > There is a firewall via the antivirus and operating system but that's it. > > Do you not understand my issue? I thought that is the real problem with the > online bullies in this thread. > > -- > > Thank You, > > Joe > > > > > > On Thu, Feb 4, 2021 at 5:01 PM Ryan Hamel wrote: > > Joe, > > > > The underlying premise here is, “pick your battles”. If you don’t want an IP > address to access your device in anyway, setup a firewall and properly > configure it to accept whitelisted traffic only, or just expose a VPN > endpoint. The Internet is full of both good and bad actors that probe and > scan anything and everything. > > > > While some appreciate the notification here, others will find it annoying. We > cannot report anything malicious about an IP address on the Internet, unless > it does harm to us specifically, otherwise it is false reporting and does > create more noise at the ISP, and waste more time getting to the underlying > issue. > > > > Ryan > > > > From: NANOG On Behalf Of JoeSox > Sent: Thursday, February 4, 2021 4:41 PM > To: TJ Trout > Cc: NANOG > Subject: Re: Suspicious IP reporting > > > > Do others see this online bully started by Tom? The leader has spoken so the > minions follow :) > > This list sometimes
Re: Suspicious IP reporting
Much like your banning of an email address is an ability you have with your provider (gmail), you should have the same abilities with your cellular provider for an IP address. I would think (at a minimum) you would be able to negotiate such an action with them, perhaps it is time to re-negotiate that contract? If your simply trying to report an offending IP for brute force stuff perhaps the tact you may find more helpful is to ask for a contact at xzy ISP on list, versus asking folks to do reporting for you. As well there are like 100s of lists to report this to outside of NANOG As well, if I am reading this correctly, deployment of devices that have public facing IPs and do not have a means to protect themselves is concerning to say the least. This is about as reckless as putting up a login page without a password and crying foul when something gains access that you didn't expect. Again, I do not know all of the details of this so I may be way off base with that respect. If your ability to prevent issues is due to lack of a firewall/control to your network, possibly asking for help in mitigating such threats would be better, as there are a lot of very well versed/clever folks that help out. Regards, -Joe On Thu, Feb 4, 2021 at 7:17 PM JoeSox wrote: > Ryan, > Thanks but like I said these devices are in moving vehicles ok? > I stated we have a plan but it is ways out. > FACT: we have a known malicious C > FACT: We know what networks it is hitting and the cellular network is the > most vulnerable, imo. > FACT: this IP is against Verizon terms of service so the way to address it > is to report it to them as they request. > > I honestly got what I needed from this thread, thanks. And I thank the > nonbullies that helped me off list. > -- > Thank You, > Joe > > > On Thu, Feb 4, 2021 at 5:11 PM Ryan Hamel > wrote: > >> Joe, >> >> >> >> It isn’t on Verizon to setup a firewall, especially if you have a direct >> public IP service. The device being attached directly to the Internet (no >> matter the transmission medium), must be able to protect itself. ISPs >> provide routers which function as a NAT/Firewall appliance, to provide a >> means of safety and convenience for them, but also charge you a rental fee. >> >> >> >> Stick a Cradlepoint router or something in front of your device, if you >> want an external means of protection. Otherwise you’ll need to enable the >> Windows Firewall if it’s a Windows system, or setup iptables on Linux, >> ipfw/pf on *BSD, etc. >> >> >> >> Ryan >> >> >> >> *From:* JoeSox >> *Sent:* Thursday, February 4, 2021 5:04 PM >> *To:* r...@rkhtech.org >> *Cc:* TJ Trout ; NANOG >> *Subject:* Re: Suspicious IP reporting >> >> >> >> How do I setup a firewall when I am not a Verizon engineer? >> >> There is a firewall via the antivirus and operating system but that's it. >> >> Do you not understand my issue? I thought that is the real problem with >> the online bullies in this thread. >> >> -- >> >> Thank You, >> >> Joe >> >> >> >> >> >> On Thu, Feb 4, 2021 at 5:01 PM Ryan Hamel >> wrote: >> >> Joe, >> >> >> >> The underlying premise here is, “pick your battles”. If you don’t want an >> IP address to access your device in anyway, setup a firewall and properly >> configure it to accept whitelisted traffic only, or just expose a VPN >> endpoint. The Internet is full of both good and bad actors that probe and >> scan anything and everything. >> >> >> >> While some appreciate the notification here, others will find it >> annoying. We cannot report anything malicious about an IP address on the >> Internet, unless it does harm to us specifically, otherwise it is false >> reporting and does create more noise at the ISP, and waste more time >> getting to the underlying issue. >> >> >> >> Ryan >> >> >> >> *From:* NANOG *On Behalf Of * >> JoeSox >> *Sent:* Thursday, February 4, 2021 4:41 PM >> *To:* TJ Trout >> *Cc:* NANOG >> *Subject:* Re: Suspicious IP reporting >> >> >> >> Do others see this online bully started by Tom? The leader has spoken so >> the minions follow :) >> >> This list sometimes LOL >> >> I think if everyone gets off their high horse, the list communication >> would be less noisy for the list veterans. >> >> -- >> >> Thank You, >> >> Joe >> >> >> >> >> >> On Thu, Feb 4, 2021 at 4:36 PM TJ Trout wrote: >> >> This seems like a highly suspect request coming from a North American >> network operator...? >> >> >> >> >> >> On Thu, Feb 4, 2021 at 10:23 AM JoeSox wrote: >> >> >> >> This IP is hitting devices on cellular networks for the past day or so. >> >> https://www.abuseipdb.com/whois/79.124.62.86 >> >> I think this is the info to report it to the ISP. Any help or if >> everyone can report it, I would be a happy camper. >> >> >> >> ab...@4cloud.mobi; ab...@fiberinternet.bg >> >> >> >> https://en.asytech.cn/check-ip/79.124.62.25#gsc.tab=0 >> >> >> >> -- >> >> Thank You, >> >> Joe >> >>
Re: Suspicious IP reporting
While I agree that reporting something not observed just creates a lot of unnecessary work for the recipient in processing all of the unsubstantiated reports (that don't match traffic logs, etc), that isn't the point of my message. I would point out that most people would call such reports spam at the least. Another term for the same thing, brigading, rarely works out satisfactorily for anyone either. Success with asking a service provider to take action is always going to be a crapshoot, but it will almost never be fast in any case. If there is a C2 server known to be contacting a host you manage, the bigger problem to me would seem to be the compromised host, rather than the C2. It could be exfiltrating sensitive data to the attacker right now. An established attacker will have dozens or hundreds of C2s. Do you intend to pursue all of them individually? If the organization isn't prepared to start an appropriate incident response on a compromised host in a timely manner, perhaps they will learn from and correct that security posture weakness in the future. Regards Dave On Thu, Feb 4, 2021 at 7:17 PM JoeSox wrote: > Ryan, > Thanks but like I said these devices are in moving vehicles ok? > I stated we have a plan but it is ways out. > FACT: we have a known malicious C > FACT: We know what networks it is hitting and the cellular network is the > most vulnerable, imo. > FACT: this IP is against Verizon terms of service so the way to address it > is to report it to them as they request. > > I honestly got what I needed from this thread, thanks. And I thank the > nonbullies that helped me off list. > -- > Thank You, > Joe > > > On Thu, Feb 4, 2021 at 5:11 PM Ryan Hamel > wrote: > >> Joe, >> >> >> >> It isn’t on Verizon to setup a firewall, especially if you have a direct >> public IP service. The device being attached directly to the Internet (no >> matter the transmission medium), must be able to protect itself. ISPs >> provide routers which function as a NAT/Firewall appliance, to provide a >> means of safety and convenience for them, but also charge you a rental fee. >> >> >> >> Stick a Cradlepoint router or something in front of your device, if you >> want an external means of protection. Otherwise you’ll need to enable the >> Windows Firewall if it’s a Windows system, or setup iptables on Linux, >> ipfw/pf on *BSD, etc. >> >> >> >> Ryan >> >> >> >> *From:* JoeSox >> *Sent:* Thursday, February 4, 2021 5:04 PM >> *To:* r...@rkhtech.org >> *Cc:* TJ Trout ; NANOG >> *Subject:* Re: Suspicious IP reporting >> >> >> >> How do I setup a firewall when I am not a Verizon engineer? >> >> There is a firewall via the antivirus and operating system but that's it. >> >> Do you not understand my issue? I thought that is the real problem with >> the online bullies in this thread. >> >> -- >> >> Thank You, >> >> Joe >> >> >> >> >> >> On Thu, Feb 4, 2021 at 5:01 PM Ryan Hamel >> wrote: >> >> Joe, >> >> >> >> The underlying premise here is, “pick your battles”. If you don’t want an >> IP address to access your device in anyway, setup a firewall and properly >> configure it to accept whitelisted traffic only, or just expose a VPN >> endpoint. The Internet is full of both good and bad actors that probe and >> scan anything and everything. >> >> >> >> While some appreciate the notification here, others will find it >> annoying. We cannot report anything malicious about an IP address on the >> Internet, unless it does harm to us specifically, otherwise it is false >> reporting and does create more noise at the ISP, and waste more time >> getting to the underlying issue. >> >> >> >> Ryan >> >> >> >> *From:* NANOG *On Behalf Of * >> JoeSox >> *Sent:* Thursday, February 4, 2021 4:41 PM >> *To:* TJ Trout >> *Cc:* NANOG >> *Subject:* Re: Suspicious IP reporting >> >> >> >> Do others see this online bully started by Tom? The leader has spoken so >> the minions follow :) >> >> This list sometimes LOL >> >> I think if everyone gets off their high horse, the list communication >> would be less noisy for the list veterans. >> >> -- >> >> Thank You, >> >> Joe >> >> >> >> >> >> On Thu, Feb 4, 2021 at 4:36 PM TJ Trout wrote: >> >> This seems like a highly suspect request coming from a North American >> network operator...? >> >> >> >> >> >> On Thu, Feb 4, 2021 at 10:23 AM JoeSox wrote: >> >> >> >> This IP is hitting devices on cellular networks for the past day or so. >> >> https://www.abuseipdb.com/whois/79.124.62.86 >> >> I think this is the info to report it to the ISP. Any help or if >> everyone can report it, I would be a happy camper. >> >> >> >> ab...@4cloud.mobi; ab...@fiberinternet.bg >> >> >> >> https://en.asytech.cn/check-ip/79.124.62.25#gsc.tab=0 >> >> >> >> -- >> >> Thank You, >> >> Joe >> >>
Re: Suspicious IP reporting
Ryan, Thanks but like I said these devices are in moving vehicles ok? I stated we have a plan but it is ways out. FACT: we have a known malicious C FACT: We know what networks it is hitting and the cellular network is the most vulnerable, imo. FACT: this IP is against Verizon terms of service so the way to address it is to report it to them as they request. I honestly got what I needed from this thread, thanks. And I thank the nonbullies that helped me off list. -- Thank You, Joe On Thu, Feb 4, 2021 at 5:11 PM Ryan Hamel wrote: > Joe, > > > > It isn’t on Verizon to setup a firewall, especially if you have a direct > public IP service. The device being attached directly to the Internet (no > matter the transmission medium), must be able to protect itself. ISPs > provide routers which function as a NAT/Firewall appliance, to provide a > means of safety and convenience for them, but also charge you a rental fee. > > > > Stick a Cradlepoint router or something in front of your device, if you > want an external means of protection. Otherwise you’ll need to enable the > Windows Firewall if it’s a Windows system, or setup iptables on Linux, > ipfw/pf on *BSD, etc. > > > > Ryan > > > > *From:* JoeSox > *Sent:* Thursday, February 4, 2021 5:04 PM > *To:* r...@rkhtech.org > *Cc:* TJ Trout ; NANOG > *Subject:* Re: Suspicious IP reporting > > > > How do I setup a firewall when I am not a Verizon engineer? > > There is a firewall via the antivirus and operating system but that's it. > > Do you not understand my issue? I thought that is the real problem with > the online bullies in this thread. > > -- > > Thank You, > > Joe > > > > > > On Thu, Feb 4, 2021 at 5:01 PM Ryan Hamel > wrote: > > Joe, > > > > The underlying premise here is, “pick your battles”. If you don’t want an > IP address to access your device in anyway, setup a firewall and properly > configure it to accept whitelisted traffic only, or just expose a VPN > endpoint. The Internet is full of both good and bad actors that probe and > scan anything and everything. > > > > While some appreciate the notification here, others will find it annoying. > We cannot report anything malicious about an IP address on the Internet, > unless it does harm to us specifically, otherwise it is false reporting and > does create more noise at the ISP, and waste more time getting to the > underlying issue. > > > > Ryan > > > > *From:* NANOG *On Behalf Of * > JoeSox > *Sent:* Thursday, February 4, 2021 4:41 PM > *To:* TJ Trout > *Cc:* NANOG > *Subject:* Re: Suspicious IP reporting > > > > Do others see this online bully started by Tom? The leader has spoken so > the minions follow :) > > This list sometimes LOL > > I think if everyone gets off their high horse, the list communication > would be less noisy for the list veterans. > > -- > > Thank You, > > Joe > > > > > > On Thu, Feb 4, 2021 at 4:36 PM TJ Trout wrote: > > This seems like a highly suspect request coming from a North American > network operator...? > > > > > > On Thu, Feb 4, 2021 at 10:23 AM JoeSox wrote: > > > > This IP is hitting devices on cellular networks for the past day or so. > > https://www.abuseipdb.com/whois/79.124.62.86 > > I think this is the info to report it to the ISP. Any help or if everyone > can report it, I would be a happy camper. > > > > ab...@4cloud.mobi; ab...@fiberinternet.bg > > > > https://en.asytech.cn/check-ip/79.124.62.25#gsc.tab=0 > > > > -- > > Thank You, > > Joe > >
RE: Suspicious IP reporting
Joe, It isn’t on Verizon to setup a firewall, especially if you have a direct public IP service. The device being attached directly to the Internet (no matter the transmission medium), must be able to protect itself. ISPs provide routers which function as a NAT/Firewall appliance, to provide a means of safety and convenience for them, but also charge you a rental fee. Stick a Cradlepoint router or something in front of your device, if you want an external means of protection. Otherwise you’ll need to enable the Windows Firewall if it’s a Windows system, or setup iptables on Linux, ipfw/pf on *BSD, etc. Ryan From: JoeSox Sent: Thursday, February 4, 2021 5:04 PM To: r...@rkhtech.org Cc: TJ Trout ; NANOG Subject: Re: Suspicious IP reporting How do I setup a firewall when I am not a Verizon engineer? There is a firewall via the antivirus and operating system but that's it. Do you not understand my issue? I thought that is the real problem with the online bullies in this thread. -- Thank You, Joe On Thu, Feb 4, 2021 at 5:01 PM Ryan Hamel mailto:administra...@rkhtech.org> > wrote: Joe, The underlying premise here is, “pick your battles”. If you don’t want an IP address to access your device in anyway, setup a firewall and properly configure it to accept whitelisted traffic only, or just expose a VPN endpoint. The Internet is full of both good and bad actors that probe and scan anything and everything. While some appreciate the notification here, others will find it annoying. We cannot report anything malicious about an IP address on the Internet, unless it does harm to us specifically, otherwise it is false reporting and does create more noise at the ISP, and waste more time getting to the underlying issue. Ryan From: NANOG mailto:rkhtech@nanog.org> > On Behalf Of JoeSox Sent: Thursday, February 4, 2021 4:41 PM To: TJ Trout mailto:t...@pcguys.us> > Cc: NANOG mailto:nanog@nanog.org> > Subject: Re: Suspicious IP reporting Do others see this online bully started by Tom? The leader has spoken so the minions follow :) This list sometimes LOL I think if everyone gets off their high horse, the list communication would be less noisy for the list veterans. -- Thank You, Joe On Thu, Feb 4, 2021 at 4:36 PM TJ Trout mailto:t...@pcguys.us> > wrote: This seems like a highly suspect request coming from a North American network operator...? On Thu, Feb 4, 2021 at 10:23 AM JoeSox mailto:joe...@gmail.com> > wrote: This IP is hitting devices on cellular networks for the past day or so. https://www.abuseipdb.com/whois/79.124.62.86 I think this is the info to report it to the ISP. Any help or if everyone can report it, I would be a happy camper. ab...@4cloud.mobi <mailto:ab...@4cloud.mobi> ; ab...@fiberinternet.bg <mailto:ab...@fiberinternet.bg> https://en.asytech.cn/check-ip/79.124.62.25#gsc.tab=0 -- Thank You, Joe
Re: Suspicious IP reporting
How do I setup a firewall when I am not a Verizon engineer? There is a firewall via the antivirus and operating system but that's it. Do you not understand my issue? I thought that is the real problem with the online bullies in this thread. -- Thank You, Joe On Thu, Feb 4, 2021 at 5:01 PM Ryan Hamel wrote: > Joe, > > > > The underlying premise here is, “pick your battles”. If you don’t want an > IP address to access your device in anyway, setup a firewall and properly > configure it to accept whitelisted traffic only, or just expose a VPN > endpoint. The Internet is full of both good and bad actors that probe and > scan anything and everything. > > > > While some appreciate the notification here, others will find it annoying. > We cannot report anything malicious about an IP address on the Internet, > unless it does harm to us specifically, otherwise it is false reporting and > does create more noise at the ISP, and waste more time getting to the > underlying issue. > > > > Ryan > > > > *From:* NANOG *On Behalf Of * > JoeSox > *Sent:* Thursday, February 4, 2021 4:41 PM > *To:* TJ Trout > *Cc:* NANOG > *Subject:* Re: Suspicious IP reporting > > > > Do others see this online bully started by Tom? The leader has spoken so > the minions follow :) > > This list sometimes LOL > > I think if everyone gets off their high horse, the list communication > would be less noisy for the list veterans. > > -- > > Thank You, > > Joe > > > > > > On Thu, Feb 4, 2021 at 4:36 PM TJ Trout wrote: > > This seems like a highly suspect request coming from a North American > network operator...? > > > > > > On Thu, Feb 4, 2021 at 10:23 AM JoeSox wrote: > > > > This IP is hitting devices on cellular networks for the past day or so. > > https://www.abuseipdb.com/whois/79.124.62.86 > > I think this is the info to report it to the ISP. Any help or if everyone > can report it, I would be a happy camper. > > > > ab...@4cloud.mobi; ab...@fiberinternet.bg > > > > https://en.asytech.cn/check-ip/79.124.62.25#gsc.tab=0 > > > > -- > > Thank You, > > Joe > >
RE: Suspicious IP reporting
Joe, The underlying premise here is, “pick your battles”. If you don’t want an IP address to access your device in anyway, setup a firewall and properly configure it to accept whitelisted traffic only, or just expose a VPN endpoint. The Internet is full of both good and bad actors that probe and scan anything and everything. While some appreciate the notification here, others will find it annoying. We cannot report anything malicious about an IP address on the Internet, unless it does harm to us specifically, otherwise it is false reporting and does create more noise at the ISP, and waste more time getting to the underlying issue. Ryan From: NANOG On Behalf Of JoeSox Sent: Thursday, February 4, 2021 4:41 PM To: TJ Trout Cc: NANOG Subject: Re: Suspicious IP reporting Do others see this online bully started by Tom? The leader has spoken so the minions follow :) This list sometimes LOL I think if everyone gets off their high horse, the list communication would be less noisy for the list veterans. -- Thank You, Joe On Thu, Feb 4, 2021 at 4:36 PM TJ Trout mailto:t...@pcguys.us> > wrote: This seems like a highly suspect request coming from a North American network operator...? On Thu, Feb 4, 2021 at 10:23 AM JoeSox mailto:joe...@gmail.com> > wrote: This IP is hitting devices on cellular networks for the past day or so. https://www.abuseipdb.com/whois/79.124.62.86 I think this is the info to report it to the ISP. Any help or if everyone can report it, I would be a happy camper. ab...@4cloud.mobi <mailto:ab...@4cloud.mobi> ; ab...@fiberinternet.bg <mailto:ab...@fiberinternet.bg> https://en.asytech.cn/check-ip/79.124.62.25#gsc.tab=0 -- Thank You, Joe
Re: Suspicious IP reporting
Do others see this online bully started by Tom? The leader has spoken so the minions follow :) This list sometimes LOL I think if everyone gets off their high horse, the list communication would be less noisy for the list veterans. -- Thank You, Joe On Thu, Feb 4, 2021 at 4:36 PM TJ Trout wrote: > This seems like a highly suspect request coming from a North American > network operator...? > > > On Thu, Feb 4, 2021 at 10:23 AM JoeSox wrote: > >> >> This IP is hitting devices on cellular networks for the past day or so. >> https://www.abuseipdb.com/whois/79.124.62.86 >> I think this is the info to report it to the ISP. Any help or if >> everyone can report it, I would be a happy camper. >> >> ab...@4cloud.mobi; ab...@fiberinternet.bg >> >> https://en.asytech.cn/check-ip/79.124.62.25#gsc.tab=0 >> >> -- >> Thank You, >> Joe >> >
Re: Suspicious IP reporting
This seems like a highly suspect request coming from a North American network operator...? On Thu, Feb 4, 2021 at 10:23 AM JoeSox wrote: > > This IP is hitting devices on cellular networks for the past day or so. > https://www.abuseipdb.com/whois/79.124.62.86 > I think this is the info to report it to the ISP. Any help or if everyone > can report it, I would be a happy camper. > > ab...@4cloud.mobi; ab...@fiberinternet.bg > > https://en.asytech.cn/check-ip/79.124.62.25#gsc.tab=0 > > -- > Thank You, > Joe >
Re: Suspicious IP reporting
Jean, That is fine. I don't understand why the ignorance. Its one flipping email and people can reply to me without adding the list. Is this really a necessary conversation? It has only blown up BECAUSE of Tom's comments. That is great he is a big shot and contributes, that is great to hear. I am not expereicncing the same type of onlist behavior. Listen, I have devices on a cell network with only a few layers of security (of course there is a plan to increase the security on those devices but this is a complicated and highly regulated environment). Someone contacted me off list telling me they beleive the IP is a command and control server. Cell networks like Verizon has a process to report these IPs, now I am not educated in how the cellular network deal with that, that is where my "ignorance" if you would like to call it that, comes in. I see no issue asking other network admins to report it and fail to understand why this particular issue is bad. If there is a FEAR that everyone and their grandmother starts asking the onlist community to report IP addresses, I think that is an an unnecessary fear. What has turned into "noise" that Tom feared so much has been his doing not mine. On Thu, Feb 4, 2021 at 4:22 PM Jean St-Laurent wrote: > I do not know Tom personally, but I’ve been following his comments, > hindsight and shared experience. Tom seems to be a bigger player than you > on this mailing list. > > > > Joe, you are only penalizing yourself by banning him. I would personally > not ban him. > > > > J > > > > *From:* Jean St-Laurent > *Sent:* February 4, 2021 6:28 PM > *To:* 'JoeSox' ; 'Tom Beecher' > *Cc:* 'NANOG' > *Subject:* RE: Suspicious IP reporting > > > > So what? I’ve scanned the internet more than 100’ times on all > ports/protocols than you can imagine with zmap and many other shabby tools. > > > > I agree with Tom that these absue reports are totally useless and create > so much noise that it feels like crying wolf. > > Network operator are trained to absorb and protect against that. > > > > Are you aware of the 4D rules? > > Dether > > Denied > > Detect > > Delay > > > > Unless that you are a real threat to a nation… good luck. > > > > There is a new submarine link that connect America with Europe. It is said > to be 250 Tbps. > > > https://cloud.google.com/blog/products/infrastructure/googles-dunant-subsea-cable-is-now-ready-for-service > > > > Kill this link and I guess the industry will listen to you. > > > > Good luck with your ip in China. > > > > Jean St-Laurent > > > > > > *From:* NANOG *On Behalf Of * > JoeSox > *Sent:* February 4, 2021 6:06 PM > *To:* Tom Beecher > *Cc:* NANOG > *Subject:* Re: Suspicious IP reporting > > > > Tom, > > Others are seeing it as I provided the website that shows others are > seeing it. > > https://www.abuseipdb.com/check/79.124.62.86 > > I think it is pretty poor form to be ignorant. > > > > Congrats you have been banned from my gmail account straight to the > deleted. > > > > > > On Thu, Feb 4, 2021 at 1:12 PM Tom Beecher wrote: > > I think it's pretty poor form to ask people to report an IP for doing > something they are not seeing themselves, and may not even be abuse. What > does "hitting devices" mean? Pings? SNMP? > > > > This sort of thing contributes to abuse reponses being poor; lots of > noise, not much signal. > > > > On Thu, Feb 4, 2021 at 1:22 PM JoeSox wrote: > > > > This IP is hitting devices on cellular networks for the past day or so. > > https://www.abuseipdb.com/whois/79.124.62.86 > > I think this is the info to report it to the ISP. Any help or if everyone > can report it, I would be a happy camper. > > > > ab...@4cloud.mobi; ab...@fiberinternet.bg > > > > https://en.asytech.cn/check-ip/79.124.62.25#gsc.tab=0 > > > > -- > > Thank You, > > Joe > >
RE: Suspicious IP reporting
I do not know Tom personally, but I’ve been following his comments, hindsight and shared experience. Tom seems to be a bigger player than you on this mailing list. Joe, you are only penalizing yourself by banning him. I would personally not ban him. J From: Jean St-Laurent Sent: February 4, 2021 6:28 PM To: 'JoeSox' ; 'Tom Beecher' Cc: 'NANOG' Subject: RE: Suspicious IP reporting So what? I’ve scanned the internet more than 100’ times on all ports/protocols than you can imagine with zmap and many other shabby tools. I agree with Tom that these absue reports are totally useless and create so much noise that it feels like crying wolf. Network operator are trained to absorb and protect against that. Are you aware of the 4D rules? Dether Denied Detect Delay Unless that you are a real threat to a nation… good luck. There is a new submarine link that connect America with Europe. It is said to be 250 Tbps. https://cloud.google.com/blog/products/infrastructure/googles-dunant-subsea-cable-is-now-ready-for-service Kill this link and I guess the industry will listen to you. Good luck with your ip in China. Jean St-Laurent From: NANOG mailto:nanog-bounces+jean=ddostest...@nanog.org> > On Behalf Of JoeSox Sent: February 4, 2021 6:06 PM To: Tom Beecher mailto:beec...@beecher.cc> > Cc: NANOG mailto:nanog@nanog.org> > Subject: Re: Suspicious IP reporting Tom, Others are seeing it as I provided the website that shows others are seeing it. https://www.abuseipdb.com/check/79.124.62.86 I think it is pretty poor form to be ignorant. Congrats you have been banned from my gmail account straight to the deleted. On Thu, Feb 4, 2021 at 1:12 PM Tom Beecher mailto:beec...@beecher.cc> > wrote: I think it's pretty poor form to ask people to report an IP for doing something they are not seeing themselves, and may not even be abuse. What does "hitting devices" mean? Pings? SNMP? This sort of thing contributes to abuse reponses being poor; lots of noise, not much signal. On Thu, Feb 4, 2021 at 1:22 PM JoeSox mailto:joe...@gmail.com> > wrote: This IP is hitting devices on cellular networks for the past day or so. https://www.abuseipdb.com/whois/79.124.62.86 I think this is the info to report it to the ISP. Any help or if everyone can report it, I would be a happy camper. ab...@4cloud.mobi <mailto:ab...@4cloud.mobi> ; ab...@fiberinternet.bg <mailto:ab...@fiberinternet.bg> https://en.asytech.cn/check-ip/79.124.62.25#gsc.tab=0 -- Thank You, Joe
RE: Suspicious IP reporting
So what? I’ve scanned the internet more than 100’ times on all ports/protocols than you can imagine with zmap and many other shabby tools. I agree with Tom that these absue reports are totally useless and create so much noise that it feels like crying wolf. Network operator are trained to absorb and protect against that. Are you aware of the 4D rules? Dether Denied Detect Delay Unless that you are a real threat to a nation… good luck. There is a new submarine link that connect America with Europe. It is said to be 250 Tbps. https://cloud.google.com/blog/products/infrastructure/googles-dunant-subsea-cable-is-now-ready-for-service Kill this link and I guess the industry will listen to you. Good luck with your ip in China. Jean St-Laurent From: NANOG On Behalf Of JoeSox Sent: February 4, 2021 6:06 PM To: Tom Beecher Cc: NANOG Subject: Re: Suspicious IP reporting Tom, Others are seeing it as I provided the website that shows others are seeing it. https://www.abuseipdb.com/check/79.124.62.86 I think it is pretty poor form to be ignorant. Congrats you have been banned from my gmail account straight to the deleted. On Thu, Feb 4, 2021 at 1:12 PM Tom Beecher mailto:beec...@beecher.cc> > wrote: I think it's pretty poor form to ask people to report an IP for doing something they are not seeing themselves, and may not even be abuse. What does "hitting devices" mean? Pings? SNMP? This sort of thing contributes to abuse reponses being poor; lots of noise, not much signal. On Thu, Feb 4, 2021 at 1:22 PM JoeSox mailto:joe...@gmail.com> > wrote: This IP is hitting devices on cellular networks for the past day or so. https://www.abuseipdb.com/whois/79.124.62.86 I think this is the info to report it to the ISP. Any help or if everyone can report it, I would be a happy camper. ab...@4cloud.mobi <mailto:ab...@4cloud.mobi> ; ab...@fiberinternet.bg <mailto:ab...@fiberinternet.bg> https://en.asytech.cn/check-ip/79.124.62.25#gsc.tab=0 -- Thank You, Joe
Re: Suspicious IP reporting
Tom, Others are seeing it as I provided the website that shows others are seeing it. https://www.abuseipdb.com/check/79.124.62.86 I think it is pretty poor form to be ignorant. Congrats you have been banned from my gmail account straight to the deleted. On Thu, Feb 4, 2021 at 1:12 PM Tom Beecher wrote: > I think it's pretty poor form to ask people to report an IP for doing > something they are not seeing themselves, and may not even be abuse. What > does "hitting devices" mean? Pings? SNMP? > > This sort of thing contributes to abuse reponses being poor; lots of > noise, not much signal. > > On Thu, Feb 4, 2021 at 1:22 PM JoeSox wrote: > >> >> This IP is hitting devices on cellular networks for the past day or so. >> https://www.abuseipdb.com/whois/79.124.62.86 >> I think this is the info to report it to the ISP. Any help or if >> everyone can report it, I would be a happy camper. >> >> ab...@4cloud.mobi; ab...@fiberinternet.bg >> >> https://en.asytech.cn/check-ip/79.124.62.25#gsc.tab=0 >> >> -- >> Thank You, >> Joe >> >
Re: Suspicious IP reporting
I think it's pretty poor form to ask people to report an IP for doing something they are not seeing themselves, and may not even be abuse. What does "hitting devices" mean? Pings? SNMP? This sort of thing contributes to abuse reponses being poor; lots of noise, not much signal. On Thu, Feb 4, 2021 at 1:22 PM JoeSox wrote: > > This IP is hitting devices on cellular networks for the past day or so. > https://www.abuseipdb.com/whois/79.124.62.86 > I think this is the info to report it to the ISP. Any help or if everyone > can report it, I would be a happy camper. > > ab...@4cloud.mobi; ab...@fiberinternet.bg > > https://en.asytech.cn/check-ip/79.124.62.25#gsc.tab=0 > > -- > Thank You, > Joe >
