Suspicious IP reporting

• Previous message (by thread): Suspicious IP reporting
• Next message (by thread): Suspicious IP reporting
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

While I agree that reporting something not observed just creates a lot of
unnecessary work for the recipient in processing all of the unsubstantiated
reports (that don't match traffic logs, etc), that isn't the point of my
message. I would point out that most people would call such reports spam at
the least. Another term for the same thing, brigading, rarely works out
satisfactorily for anyone either.

Success with asking a service provider to take action is always going to be
a crapshoot, but it will almost never be fast in any case.

If there is a C2 server known to be contacting a host you manage, the
bigger problem to me would seem to be the compromised host, rather than the
C2. It could be exfiltrating sensitive data to the attacker right now. An
established attacker will have dozens or hundreds of C2s. Do you intend to
pursue all of them individually?

If the organization isn't prepared to start an appropriate incident
response on a compromised host in a timely manner, perhaps they will learn
from and correct that security posture weakness in the future.

Regards
Dave

On Thu, Feb 4, 2021 at 7:17 PM JoeSox <joesox at gmail.com> wrote:

> Ryan,
> Thanks but like I said these devices are in moving vehicles ok?
> I stated we have a plan but it is ways out.
> FACT: we have a known malicious C&C
> FACT: We know what networks it is hitting and the cellular network is the
> most vulnerable, imo.
> FACT: this IP is against Verizon terms of service so the way to address it
> is to report it to them as they request.
>
> I honestly got what I needed from this thread, thanks. And I thank the
> nonbullies that helped me off list.
> --
> Thank You,
> Joe
>
>
> On Thu, Feb 4, 2021 at 5:11 PM Ryan Hamel <administrator at rkhtech.org>
> wrote:
>
>> Joe,
>>
>>
>>
>> It isn’t on Verizon to setup a firewall, especially if you have a direct
>> public IP service. The device being attached directly to the Internet (no
>> matter the transmission medium), must be able to protect itself. ISPs
>> provide routers which function as a NAT/Firewall appliance, to provide a
>> means of safety and convenience for them, but also charge you a rental fee.
>>
>>
>>
>> Stick a Cradlepoint router or something in front of your device, if you
>> want an external means of protection. Otherwise you’ll need to enable the
>> Windows Firewall if it’s a Windows system, or setup iptables on Linux,
>> ipfw/pf on *BSD, etc.
>>
>>
>>
>> Ryan
>>
>>
>>
>> *From:* JoeSox <joesox at gmail.com>
>> *Sent:* Thursday, February 4, 2021 5:04 PM
>> *To:* ryan at rkhtech.org
>> *Cc:* TJ Trout <tj at pcguys.us>; NANOG <nanog at nanog.org>
>> *Subject:* Re: Suspicious IP reporting
>>
>>
>>
>> How do I setup a firewall when I am not a Verizon engineer?
>>
>> There is a firewall via the antivirus and operating system but that's it.
>>
>> Do you not understand my issue? I thought that is the real problem with
>> the online bullies in this thread.
>>
>> --
>>
>> Thank You,
>>
>> Joe
>>
>>
>>
>>
>>
>> On Thu, Feb 4, 2021 at 5:01 PM Ryan Hamel <administrator at rkhtech.org>
>> wrote:
>>
>> Joe,
>>
>>
>>
>> The underlying premise here is, “pick your battles”. If you don’t want an
>> IP address to access your device in anyway, setup a firewall and properly
>> configure it to accept whitelisted traffic only, or just expose a VPN
>> endpoint. The Internet is full of both good and bad actors that probe and
>> scan anything and everything.
>>
>>
>>
>> While some appreciate the notification here, others will find it
>> annoying. We cannot report anything malicious about an IP address on the
>> Internet, unless it does harm to us specifically, otherwise it is false
>> reporting and does create more noise at the ISP, and waste more time
>> getting to the underlying issue.
>>
>>
>>
>> Ryan
>>
>>
>>
>> *From:* NANOG <nanog-bounces+ryan=rkhtech.org at nanog.org> *On Behalf Of *
>> JoeSox
>> *Sent:* Thursday, February 4, 2021 4:41 PM
>> *To:* TJ Trout <tj at pcguys.us>
>> *Cc:* NANOG <nanog at nanog.org>
>> *Subject:* Re: Suspicious IP reporting
>>
>>
>>
>> Do others see this online bully started by Tom? The leader has spoken so
>> the minions follow :)
>>
>> This list  sometimes LOL
>>
>> I think if everyone gets off their high horse, the list communication
>> would be less noisy for the list veterans.
>>
>> --
>>
>> Thank You,
>>
>> Joe
>>
>>
>>
>>
>>
>> On Thu, Feb 4, 2021 at 4:36 PM TJ Trout <tj at pcguys.us> wrote:
>>
>> This seems like a highly suspect request coming from a North American
>> network operator...?
>>
>>
>>
>>
>>
>> On Thu, Feb 4, 2021 at 10:23 AM JoeSox <joesox at gmail.com> wrote:
>>
>>
>>
>> This IP is hitting devices on cellular networks for the past day or so.
>>
>>   https://www.abuseipdb.com/whois/79.124.62.86
>>
>> I think this is the info to report it to the ISP.  Any help or if
>> everyone can report it, I would be a happy camper.
>>
>>
>>
>> abuse at 4cloud.mobi; abuse at fiberinternet.bg
>>
>>
>>
>> https://en.asytech.cn/check-ip/79.124.62.25#gsc.tab=0
>>
>>
>>
>> --
>>
>> Thank You,
>>
>> Joe
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20210205/92ffd131/attachment.html>

• Previous message (by thread): Suspicious IP reporting
• Next message (by thread): Suspicious IP reporting
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]