<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.p1, li.p1, div.p1
{mso-style-name:p1;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.s1
{mso-style-name:s1;}
p.footer, li.footer, div.footer
{mso-style-name:footer;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-GB" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Hi,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">I assume you have a fixed IP address. In the UK, it seems to be the default that fixed IP address => running inbound services of some
sort, whereas a dynamic IP address comes with assumptions that, at the very least, there’ll be nothing outbound to ports like 25.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">I have no idea what level of competence Verizon have. What I will do is tell you of my experience of running inbound services and why,
apart from any traffic you think you may be generating/attracting on those ports, there may be more happening.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">I have a fixed range of IPv4 addresses at home and a 48bit IPv6 prefix. NAT and the firewall permit certain inbound connections. As
some of you HECnet’ers may be aware, I restrict NAT translations on various ports through my gateway IP address to small ranges of subnets. This avoids a whole load of potential issues and those outside of those subnets do not even get to traverse NAT arrangements.
Incidentally, I’d love it if this were over IPv6.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">I have HTTP, HTTPS and VPN inbound traffic over both IPv4 and IPv6 and this is necessarily nowhere near as restricted as the HECnet
over IP connectivity.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Quite a few months ago now, there were consequences associated with this thanks to a mixture of nosey so-called internet research companies
and the relatively cheap resources anyone can acquire from hosting companies desperate to attract business.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Internet “research” companies leave quite a few footprints in my router logs with port scans. They make their internet “maps” available
to their clients, some of whom are clearly cyber-criminals.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Cyber criminals hosted in the clouds shovelling out spam is relatively easy to deal with and, if you’re persistent enough, reasonably
straightforward to have evicted.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Those criminals who don’t spam tend to spoof their victims’ IP addresses and send my (and possibly your) inbound services a SYN, which
my (and your) services ACK… to their victims. As I (and possibly you) are just one (or two) collateral victims amongst hundreds or thousands, their prime victims are flooded – reflective DDOS attacks. It’s even worse if you make UDP services available.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">My inbound services have been used like this quite a few times in the past, as well as simply being the target of attack.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">I have had to customise router firmware in some instances and introduce semi-‘intelligent’ blocks elsewhere to mitigate most of this.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">For example, the firewall never passes the first few SYNs on from any inbound connection attempt. You could say this is similar to
greylisting. Given that reflective DDOS attacks have spoofed their source address, there’s no feedback to the bastard initiating the attack anyway. So in theory, it is very difficult to co-opt my systems into amplifying an attack. For more ‘personal’ attacks,
the firewall’s built in DOS mitigation, with some additional analysis of its emitted events and subsequent blocking can fend off a lot more.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Sorry for the ramble. To cut a long story short, it’s marginally possible that Verizon are reacting, in their ham-fisted way, to a
load of suspicious traffic you’re not even aware that you’re generating. Then again, it’s Verizon, so who knows if there’s any logic behind it. Check with whatever equivalent of ‘netstat’ you have to see if you have groups of 6-10 syn_acks (I think that’s
what they are – I’m too lazy to check my own source code) to the same outside IP address (and possibly the same port, especially if it’s a well-known one like 80, 443, 25, or the really dangerous UDP ones like NTP, DNS etc..).<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Standing down<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Keith<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif"> owner-hecnet@Update.UU.SE [mailto:owner-hecnet@Update.UU.SE]
<b>On Behalf Of </b>Supratim Sanyal<br>
<b>Sent:</b> 30 July 2020 19:15<br>
<b>To:</b> hecnet@Update.UU.SE<br>
<b>Subject:</b> [HECnet] Verizon Security! Fwd: Security notice<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Verizon is tightening the screw. I think I will give up now. It was explained to me over a telephone call to their security department that I cannot have any of the following ports open at home.<o:p></o:p></p>
<div>
<p class="p1"><span class="s1">80 </span><o:p></o:p></p>
<p class="p1"><span class="s1">81 </span><o:p></o:p></p>
<p class="p1"><span class="s1">554</span><o:p></o:p></p>
<p class="p1"><span class="s1">8xxx</span><o:p></o:p></p>
<p class="p1"><span class="s1">9xxx</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><b>From:</b> Verizon Notification <<a href="mailto:verizon-notification@verizon.com">verizon-notification@verizon.com</a>><br>
<b>Date:</b> July 30, 2020 at 12:32:48 PM EDT<br>
<b>To:</b> <a href="mailto:thesanyalfamily@gmail.com">thesanyalfamily@gmail.com</a><br>
<b>Subject:</b> <b>Security notice</b><br>
<b>Reply-To:</b> Verizon Notification <<a href="mailto:verizon-notification@verizon.com">verizon-notification@verizon.com</a>><o:p></o:p></p>
</div>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div align="center">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="0" style="width:487.5pt" id="wrapper">
<tbody>
<tr>
<td style="padding:3.75pt 3.75pt 3.75pt 3.75pt">
<table class="MsoNormalTable" border="0" cellpadding="0">
<tbody>
<tr>
<td style="padding:.75pt .75pt .75pt .75pt">
<table class="MsoNormalTable" border="0" cellpadding="0">
<tbody>
<tr>
<td style="padding:.75pt .75pt .75pt .75pt">
<div align="center">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="0" style="width:525.0pt;background:white;border-collapse:collapse">
<tbody>
<tr>
<td width="700" style="width:528.75pt;padding:0cm 0cm 0cm 0cm">
<div align="center">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="0" style="width:525.0pt;background:white;border-collapse:collapse">
<tbody>
<tr style="height:18.75pt">
<td width="157" valign="bottom" style="width:68.25pt;padding:9.0pt 0cm 0cm 18.75pt;height:18.75pt">
<p style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:16.5pt;margin-left:0cm;line-height:15.0pt">
<span style="font-size:13.0pt;font-family:"Arial",sans-serif;color:#1E1E1E"><a href="https://www.verizon.com/?lid=//global//residential" target="_blank"><span style="text-decoration:none"><img border="0" width="132" height="31" id="_x0000_i1025" src="https://www.verizon.com/econtact/ecrm/ximg/karthik/verizon.jpg?1594044661565" alt="Verizon"></span></a><o:p></o:p></span></p>
</td>
<td width="543" valign="bottom" style="width:447.75pt;padding:.75pt 16.5pt 0cm 15.0pt;height:18.75pt">
<p class="MsoNormal" style="line-height:13.5pt"><span style="font-size:11.5pt;font-family:"Arial",sans-serif;color:black"> <o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
</div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td valign="top" style="padding:.75pt .75pt .75pt .75pt">
<table class="MsoNormalTable" border="0" cellpadding="0" id="wrapper">
<tbody>
<tr>
<td style="padding:.75pt .75pt .75pt .75pt">
<div align="center">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="0" style="width:525.0pt;background:white;border-collapse:collapse">
<tbody>
<tr>
<td style="padding:0cm 18.75pt 0cm 22.5pt">
<p style="mso-margin-top-alt:11.25pt;margin-right:0cm;margin-bottom:7.5pt;margin-left:0cm;line-height:15.0pt">
<span style="font-family:"Helvetica",sans-serif">Hi,<br>
<br>
Attention Verizon Customer,<br>
<br>
<br>
Our network monitoring tools have detected significant amounts of harmful network traffic coming from your home or office network. It is likely that a device within your home or office is infected with malware; we believe the device could be a network security
camera, network video recorder, or similar device. <br>
<br>
<br>
These devices are being targeted by hackers. The hackers are leveraging potential security flaws in the hardware / software to stage large scale attacks against other networks and devices.
<br>
<br>
<br>
Pursuant to Verizon's Terms of Service and Acceptable Use Policy, we are asking you to disconnect any such devices from your home or office network. This is an effort to protect your privacy and network. We ask that you contact the manufacturer's support department
to determine how to properly secure the device, including closing any network ports on the device(s) exposed to the public Internet. Once fully patched with the most up to date firmware and software, please ensure that you protect access to the device by changing
the admin login credentials. Use a strong password for all access points including remote viewing of the cameras. Once that is complete you may return the device to your network.<br>
<br>
<br>
Should these efforts fail and the device is once again found to be leveraged as an attack host, we will ask for the removal of the device until the vendor can devise an acceptable remediation.
<br>
<br>
<br>
You must take the necessary steps to remove this device from your network as soon as possible. Failure to remove this device is a violation of the Verizon Online Acceptable Use Policy and may result in the following:<br>
<br>
<br>
- Future suspension and/or termination of your Internet Services. <br>
<br>
<br>
Additional suggestions and precautions can viewed at <a href="http://verizon.com/securityinfo">
verizon.com/securityinfo</a> or visit the website of your hardware vendor.<br>
<br>
<br>
You may contact Verizon support at 888-553-1555<br>
<br>
Verizon will never ask you to provide or verify personal or account information by email.</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif"><o:p></o:p></span></p>
<p style="mso-margin-top-alt:11.25pt;margin-right:0cm;margin-bottom:7.5pt;margin-left:0cm;line-height:15.0pt">
<span style="font-family:"Helvetica",sans-serif">Thanks for your prompt attention.</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif"><o:p></o:p></span></p>
<p style="mso-margin-top-alt:11.25pt;margin-right:0cm;margin-bottom:7.5pt;margin-left:0cm;line-height:15.0pt">
<span style="font-family:"Helvetica",sans-serif">Verizon Internet Abuse Investigations Team<br>
22001 Loudoun County Parkway<br>
Ashburn, VA 20147 </span><span style="font-size:10.0pt;font-family:"Arial",sans-serif"><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
</div>
<p> <o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td style="padding:.75pt .75pt .75pt .75pt">
<table class="MsoNormalTable" border="0" cellpadding="0" id="wrapper">
<tbody>
<tr>
<td style="padding:.75pt .75pt .75pt .75pt">
<div align="center">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="0" style="width:525.0pt;background:white">
<tbody>
<tr>
<td width="700" style="width:528.75pt;padding:0cm 0cm 0cm 0cm">
<div align="center">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="0" style="width:525.0pt;background:white">
<tbody>
<tr>
<td style="border:none;border-top:solid #D7D9D9 1.0pt;padding:0cm 22.5pt 0cm 18.75pt">
<p class="footer" style="mso-margin-top-alt:25.5pt;margin-right:0cm;margin-bottom:15.0pt;margin-left:0cm;line-height:9.0pt">
<span style="font-size:7.5pt;font-family:"Helvetica",sans-serif;color:#747676">© 2020 Verizon. All Rights Reserved.<o:p></o:p></span></p>
<p class="footer" style="mso-margin-top-alt:3.75pt;margin-right:0cm;margin-bottom:15.0pt;margin-left:0cm;line-height:9.0pt">
<span style="font-size:7.5pt;font-family:"Helvetica",sans-serif;color:#747676">Ensure Verizon emails reach your inbox by adding
<a href="mailto:verizon-notification@verizon.com" target="_blank"><span style="color:#747676">verizon-notification@verizon.com</span></a> to your "safe" email list. Your email provider
<br>
can provide instructions on how it works.<o:p></o:p></span></p>
<p class="footer" style="mso-margin-top-alt:3.75pt;margin-right:0cm;margin-bottom:7.5pt;margin-left:0cm;line-height:9.0pt">
<span style="font-size:7.5pt;font-family:"Helvetica",sans-serif;color:#747676">This email has been sent from an auto-notification system that cannot accept incoming email.<o:p></o:p></span></p>
<p class="footer" style="mso-margin-top-alt:3.75pt;margin-right:0cm;margin-bottom:15.0pt;margin-left:0cm;line-height:9.0pt">
<span style="font-size:7.5pt;font-family:"Helvetica",sans-serif;color:#747676">This email was sent to
<a href="mailto:thesanyalfamily@gmail.com">thesanyalfamily@gmail.com</a>. We respect your privacy. Please review our
<a href="https://www.verizon.com/about/privacy/">Privacy Policy</a> If you think this email was sent in error or you'd like to change how you receive your notification,
<a href="https://www.verizon.com/privacy/your-data/idp/eud/ln?GUID=aHkTu4k1hPaQumaLjRRtVRUSaUwDZmUsbfsLhFFydaHkTBJ47QUIBiwFTI2DAcDemH2wvwjoTEG7EFn81xrgorO2y9XwnHSxsTHpvCP48%2FAY%2F4h9r4EtUY69Qp3pQKszwl5VpfHr7arsDxdqfk1612Uh9OYNjWXpIPTTQ2Yid7U%3D">
click here</a><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
</div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</div>
<p class="MsoNormal"><img border="0" id="_x0000_i1026" src="http://www.verizon.com/econtact/ecrm/EmailTracking.serv?TXID=R20200730_2025674917"><o:p></o:p></p>
</div>
</blockquote>
</div>
</div>
</body>
</html>