<div dir="ltr">AS202425 = AS29073. Formerly known as Quasi Networks / Ecatel. See previous NANOG thread here: <a href="https://mailman.nanog.org/pipermail/nanog/2017-August/091956.html">https://mailman.nanog.org/pipermail/nanog/2017-August/091956.html</a> <br><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Jun 22, 2019 at 10:03 AM Keith Medcalf <<a href="mailto:kmedcalf@dessus.com">kmedcalf@dessus.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Friday, 21 June, 2019 18:14, Ronald F. Guilmette <<a href="mailto:rfg@tristatelogic.com" target="_blank">rfg@tristatelogic.com</a>> wrote:<br>
<br>
> <a href="https://twitter.com/GreyNoiseIO/status/1129017971135995904" rel="noreferrer" target="_blank">https://twitter.com/GreyNoiseIO/status/1129017971135995904</a><br>
> <a href="https://twitter.com/JayTHL/status/1128718224965685248" rel="noreferrer" target="_blank">https://twitter.com/JayTHL/status/1128718224965685248</a><br>
<br>
Sorry, don't twitter ... Too much malicious JavaScript there.<br>
<br>
>Friday Questionaire:<br>
<br>
>Is there anybody on this list who keeps firewall logs and who<br>
>DOESN'T have numerous hits recorded therein from one or more<br>
>of the following IP addresses?<br>
<br>
>80.82.64.21 <a href="http://scanner29.openportstats.com" rel="noreferrer" target="_blank">scanner29.openportstats.com</a><br>
>80.82.70.2 <a href="http://scanner8.openportstats.com" rel="noreferrer" target="_blank">scanner8.openportstats.com</a><br>
>80.82.70.198 <a href="http://scanner21.openportstats.com" rel="noreferrer" target="_blank">scanner21.openportstats.com</a><br>
>80.82.70.216 <a href="http://scanner13.openportstats.com" rel="noreferrer" target="_blank">scanner13.openportstats.com</a><br>
>80.82.78.104 <a href="http://scanner151.openportstats.com" rel="noreferrer" target="_blank">scanner151.openportstats.com</a><br>
>89.248.160.132 <a href="http://scanner15.openportstats.com" rel="noreferrer" target="_blank">scanner15.openportstats.com</a><br>
>89.248.162.168 <a href="http://scanner5.openportstats.com" rel="noreferrer" target="_blank">scanner5.openportstats.com</a><br>
>89.248.168.62 <a href="http://scanner1.openportstats.com" rel="noreferrer" target="_blank">scanner1.openportstats.com</a><br>
>89.248.168.63 <a href="http://scanner2.openportstats.com" rel="noreferrer" target="_blank">scanner2.openportstats.com</a><br>
>89.248.168.73 <a href="http://scanner3.openportstats.com" rel="noreferrer" target="_blank">scanner3.openportstats.com</a><br>
>89.248.168.74 <a href="http://scanner4.openportstats.com" rel="noreferrer" target="_blank">scanner4.openportstats.com</a><br>
>89.248.168.170 <a href="http://scanner17.openportstats.com" rel="noreferrer" target="_blank">scanner17.openportstats.com</a><br>
>89.248.168.196 <a href="http://scanner16.openportstats.com" rel="noreferrer" target="_blank">scanner16.openportstats.com</a><br>
>89.248.171.38 <a href="http://scanner7.openportstats.com" rel="noreferrer" target="_blank">scanner7.openportstats.com</a><br>
>89.248.171.57 <a href="http://scanner20.openportstats.com" rel="noreferrer" target="_blank">scanner20.openportstats.com</a><br>
>89.248.172.18 <a href="http://scanner25.openportstats.com" rel="noreferrer" target="_blank">scanner25.openportstats.com</a><br>
>89.248.172.23 <a href="http://scanner27.openportstats.com" rel="noreferrer" target="_blank">scanner27.openportstats.com</a><br>
>93.174.91.31 <a href="http://scanner10.openportstats.com" rel="noreferrer" target="_blank">scanner10.openportstats.com</a><br>
>93.174.91.34 <a href="http://scanner11.openportstats.com" rel="noreferrer" target="_blank">scanner11.openportstats.com</a><br>
>93.174.91.35 <a href="http://scanner12.openportstats.com" rel="noreferrer" target="_blank">scanner12.openportstats.com</a><br>
>93.174.93.98 <a href="http://scanner18.openportstats.com" rel="noreferrer" target="_blank">scanner18.openportstats.com</a><br>
>93.174.93.149 <a href="http://scanner6.openportstats.com" rel="noreferrer" target="_blank">scanner6.openportstats.com</a><br>
>93.174.93.241 <a href="http://scanner14.openportstats.com" rel="noreferrer" target="_blank">scanner14.openportstats.com</a><br>
>93.174.95.37 <a href="http://scanner19.openportstats.com" rel="noreferrer" target="_blank">scanner19.openportstats.com</a><br>
>93.174.95.42 <a href="http://scanner8.openportstats.com" rel="noreferrer" target="_blank">scanner8.openportstats.com</a><br>
>94.102.51.31 <a href="http://scanner31.openportstats.com" rel="noreferrer" target="_blank">scanner31.openportstats.com</a><br>
>94.102.51.98 <a href="http://scanner55.openportstats.com" rel="noreferrer" target="_blank">scanner55.openportstats.com</a><br>
>94.102.52.245 <a href="http://scanner9.openportstats.com" rel="noreferrer" target="_blank">scanner9.openportstats.com</a><br>
<br>
I have just a few. They have all been blocked. There have been no incoming sessions established, nor any outbound sessions to these addresses.<br>
<br>
Why do you think it is a problem and not just run-of-the-mill background radiation on the Internet? <br>
<br>
Do you (or your endpoints) not have a firewall to block such things?<br>
<br>
sqlite> select * from hosts where name like '%openports%';<br>
id address name description asn lastupdate<br>
---------- ------------- ---------------------------- ----------- ---------- ----------<br>
3662 93.174.93.241 <a href="http://scanner14.openportstats.com" rel="noreferrer" target="_blank">scanner14.openportstats.com</a>. 202425 1561209704<br>
5061 93.174.95.42 <a href="http://scanner8.openportstats.com" rel="noreferrer" target="_blank">scanner8.openportstats.com</a>. 202425 1560718494<br>
11894 93.174.93.149 <a href="http://scanner6.openportstats.com" rel="noreferrer" target="_blank">scanner6.openportstats.com</a>. 202425 1560732443<br>
17720 93.174.93.98 <a href="http://scanner18.openportstats.com" rel="noreferrer" target="_blank">scanner18.openportstats.com</a>. 202425 1560640554<br>
54208 80.82.70.2 <a href="http://scanner8.openportstats.com" rel="noreferrer" target="_blank">scanner8.openportstats.com</a>. 202425 1560774033<br>
54790 89.248.160.13 <a href="http://scanner15.openportstats.com" rel="noreferrer" target="_blank">scanner15.openportstats.com</a>. 202425 1560682732<br>
55081 89.248.168.19 <a href="http://scanner16.openportstats.com" rel="noreferrer" target="_blank">scanner16.openportstats.com</a>. 202425 1561158220<br>
55629 89.248.168.17 <a href="http://scanner17.openportstats.com" rel="noreferrer" target="_blank">scanner17.openportstats.com</a>. 202425 1560817976<br>
59858 89.248.171.57 <a href="http://scanner20.openportstats.com" rel="noreferrer" target="_blank">scanner20.openportstats.com</a>. 202425 1560800216<br>
64626 89.248.171.38 <a href="http://scanner7.openportstats.com" rel="noreferrer" target="_blank">scanner7.openportstats.com</a>. 202425 1560841829<br>
70081 93.174.95.37 <a href="http://scanner19.openportstats.com" rel="noreferrer" target="_blank">scanner19.openportstats.com</a>. 202425 1560802023<br>
72978 80.82.70.216 <a href="http://scanner13.openportstats.com" rel="noreferrer" target="_blank">scanner13.openportstats.com</a>. 202425 1560709312<br>
74711 94.102.52.245 <a href="http://scanner9.openportstats.com" rel="noreferrer" target="_blank">scanner9.openportstats.com</a>. 202425 1560589038<br>
80358 89.248.162.16 <a href="http://scanner5.openportstats.com" rel="noreferrer" target="_blank">scanner5.openportstats.com</a>. 202425 1561217966<br>
86148 89.248.172.18 <a href="http://scanner25.openportstats.com" rel="noreferrer" target="_blank">scanner25.openportstats.com</a>. 202425 1560884061<br>
89484 94.102.51.31 <a href="http://scanner31.openportstats.com" rel="noreferrer" target="_blank">scanner31.openportstats.com</a>. 202425 1561199715<br>
90131 80.82.70.198 <a href="http://scanner21.openportstats.com" rel="noreferrer" target="_blank">scanner21.openportstats.com</a>. 202425 1560776777<br>
90531 80.82.78.104 <a href="http://scanner151.openportstats.com" rel="noreferrer" target="_blank">scanner151.openportstats.com</a> 202425 1561150052<br>
91641 80.82.64.21 <a href="http://scanner29.openportstats.com" rel="noreferrer" target="_blank">scanner29.openportstats.com</a>. 202425 1561184548<br>
104810 94.102.51.98 <a href="http://scanner55.openportstats.com" rel="noreferrer" target="_blank">scanner55.openportstats.com</a>. 202425 1561138118<br>
<br>
sqlite> select * from asns where asn=202425;<br>
asn country rir allocated description lastupdate<br>
---------- ---------- ---------- ---------- --------------- ----------<br>
202425 SC ripencc 2018-05-17 INT-NETWORK, SC 1561217966<br>
<br>
sqlite> select srcaddress, count(*), min(localtime), max(localtime) from firewalllog where srcaddress in (select address from hosts where name like '%openportstats.com.') group by srcaddress;<br>
srcaddress count(*) min(localtime) max(localtime)<br>
----------- ---------- ------------------------------ ------------------------------<br>
80.82.64.21 6 2019-03-28 05:21:13.919 -06:00 2019-03-31 06:47:28.309 -06:00<br>
80.82.70.2 208 2019-01-23 12:58:02.557 -07:00 2019-04-02 06:37:43.125 -06:00<br>
80.82.70.19 114 2019-03-25 14:13:17.058 -06:00 2019-04-02 06:39:57.214 -06:00<br>
80.82.70.21 17970 2019-02-25 13:34:52.202 -07:00 2019-04-24 19:27:58.113 -06:00<br>
80.82.78.10 767 2019-03-26 08:37:53.799 -06:00 2019-06-21 15:27:05.791 -06:00<br>
89.248.160. 1754 2019-01-24 12:40:58.764 -07:00 2019-04-13 05:02:00.866 -06:00<br>
89.248.162. 1384 2019-03-09 16:21:40.538 -07:00 2019-06-22 09:39:26.809 -06:00<br>
89.248.168. 43 2019-01-25 18:52:41.512 -07:00 2019-03-28 06:57:15.269 -06:00<br>
89.248.168. 1543 2019-01-24 23:03:14.052 -07:00 2019-04-23 01:46:26.558 -06:00<br>
89.248.171. 22 2019-02-10 12:14:00.168 -07:00 2019-02-12 14:16:40.212 -07:00<br>
89.248.171. 1850 2019-02-01 18:06:15.893 -07:00 2019-06-17 13:36:56.062 -06:00<br>
89.248.172. 3 2019-03-18 20:33:50.209 -06:00 2019-03-23 16:47:31.949 -06:00<br>
93.174.93.9 67 2018-12-08 17:42:28.122 -07:00 2019-04-01 03:24:06.896 -06:00<br>
93.174.93.1 16 2018-12-04 03:34:47.534 -07:00 2019-05-07 01:34:27.308 -06:00<br>
93.174.93.2 1661 2018-11-23 10:13:06.957 -07:00 2019-06-22 07:21:44.239 -06:00<br>
93.174.95.3 144 2019-02-20 08:06:52.282 -07:00 2019-02-28 02:30:39.109 -07:00<br>
93.174.95.4 252 2018-11-24 22:14:19.061 -07:00 2019-03-03 19:04:48.709 -07:00<br>
94.102.51.3 262 2019-03-24 10:03:55.679 -06:00 2019-06-22 04:35:15.886 -06:00<br>
94.102.51.9 32 2019-04-28 08:52:43.818 -06:00 2019-05-17 11:22:16.166 -06:00<br>
94.102.52.2 38 2019-02-28 12:45:52.949 -07:00 2019-03-07 07:30:03.547 -07:00<br>
<br>
<br>
>NOTE: Dshield has already assigned an 8 rating on their Badness<br>
>Richter Scale to the specific one of the above addresses that's <br>
>been poking me personally in recent days:<br>
<br>
> <a href="https://www.dshield.org/ipinfo.html?ip=89.248.162.168" rel="noreferrer" target="_blank">https://www.dshield.org/ipinfo.html?ip=89.248.162.168</a><br>
> <a href="https://www.dshield.org/ipdetails.html?ip=89.248.162.168" rel="noreferrer" target="_blank">https://www.dshield.org/ipdetails.html?ip=89.248.162.168</a><br>
<br>
>And the Dshield rating is *just* based on the probing. The addition<br>
>of malware slinging also puts this whole mess over the top entirely.<br>
<br>
What malware slinging? I see none of that. Merely unsolicited incoming connection attempts. I note that neither the ASN in question nor the addresses are on the DROP list.<br>
<br>
>Oh! And I'll save you all the time looking it up.... 100% of the IPs<br>
>listed above are on AS202425 "IP Volume, Inc. allegedly of the<br>
>Seychelles Islands, where the employees and management are no <br>
>doubt enjoying their luxurious and expansive new corporate headquarters...<br>
<br>
Good for them. Everyone should have luxurious and expansive corporate headquarters.<br>
<br>
> <a href="https://bit.ly/2ZBayc4" rel="noreferrer" target="_blank">https://bit.ly/2ZBayc4</a><br>
<br>
Malicious link detected.<br>
<br>
-- <br>
The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.<br>
<br>
<br>
<br>
<br>
</blockquote></div>