[HECnet] Verizon Security! Fwd: Security notice

[Keith Halewood]

Hi,

I assume you have a fixed IP address. In the UK, it seems to be the default that fixed IP address => running inbound services of some sort, whereas a dynamic IP address comes with assumptions that, at the very least, there’ll be nothing outbound to ports like 25.

I have no idea what level of competence Verizon have. What I will do is tell you of my experience of running inbound services and why, apart from any traffic you think you may be generating/attracting on those ports, there may be more happening.

I have a fixed range of IPv4 addresses at home and a 48bit IPv6 prefix. NAT and the firewall permit certain inbound connections. As some of you HECnet’ers may be aware, I restrict NAT translations on various ports through my gateway IP address to small ranges of subnets. This avoids a whole load of potential issues and those outside of those subnets do not even get to traverse NAT arrangements. Incidentally, I’d love it if this were over IPv6.

I have HTTP, HTTPS and VPN inbound traffic over both IPv4 and IPv6 and this is necessarily nowhere near as restricted as the HECnet over IP connectivity.
Quite a few months ago now, there were consequences associated with this thanks to a mixture of nosey so-called internet research companies and the relatively cheap resources anyone can acquire from hosting companies desperate to attract business.

Internet “research” companies leave quite a few footprints in my router logs with port scans. They make their internet “maps” available to their clients, some of whom are clearly cyber-criminals.
Cyber criminals hosted in the clouds shovelling out spam is relatively easy to deal with and, if you’re persistent enough, reasonably straightforward to have evicted.
Those criminals who don’t spam tend to spoof their victims’ IP addresses and send my (and possibly your) inbound services a SYN, which my (and your) services ACK… to their victims. As I (and possibly you) are just one (or two) collateral victims amongst hundreds or thousands, their prime victims are flooded – reflective DDOS attacks. It’s even worse if you make UDP services available.

My inbound services have been used like this quite a few times in the past, as well as simply being the target of attack.

I have had to customise router firmware in some instances and introduce semi-‘intelligent’ blocks elsewhere to mitigate most of this.

For example, the firewall never passes the first few SYNs on from any inbound connection attempt. You could say this is similar to greylisting. Given that reflective DDOS attacks have spoofed their source address, there’s no feedback to the bastard initiating the attack anyway. So in theory, it is very difficult to co-opt my systems into amplifying an attack. For more ‘personal’ attacks, the firewall’s built in DOS mitigation, with some additional analysis of its emitted events and subsequent blocking can fend off a lot more.

Sorry for the ramble. To cut a long story short, it’s marginally possible that Verizon are reacting, in their ham-fisted way, to a load of suspicious traffic you’re not even aware that you’re generating. Then again, it’s Verizon, so who knows if there’s any logic behind it. Check with whatever equivalent of ‘netstat’ you have to see if you have groups of 6-10 syn_acks (I think that’s what they are – I’m too lazy to check my own source code) to the same outside IP address (and possibly the same port, especially if it’s a well-known  one like 80, 443, 25, or the really dangerous UDP ones like NTP, DNS etc..).

Standing down

Keith

From: owner-hecnet at Update.UU.SE [mailto:owner-hecnet at Update.UU.SE] On Behalf Of Supratim Sanyal
Sent: 30 July 2020 19:15
To: hecnet at Update.UU.SE
Subject: [HECnet] Verizon Security! Fwd: Security notice

Verizon is tightening the screw. I think I will give up now. It was explained to me over a telephone call to their security department that I cannot have any of the following ports open at home.

80

81

554

8xxx

9xxx


From: Verizon Notification <verizon-notification at verizon.com<mailto:verizon-notification at verizon.com>>
Date: July 30, 2020 at 12:32:48 PM EDT
To: thesanyalfamily at gmail.com<mailto:thesanyalfamily at gmail.com>
Subject: Security notice
Reply-To: Verizon Notification <verizon-notification at verizon.com<mailto:verizon-notification at verizon.com>>

[Verizon]<https://www.verizon.com/?lid=//global//residential>







Hi,

Attention Verizon Customer,


Our network monitoring tools have detected significant amounts of harmful network traffic coming from your home or office network. It is likely that a device within your home or office is infected with malware; we believe the device could be a network security camera, network video recorder, or similar device.


These devices are being targeted by hackers. The hackers are leveraging potential security flaws in the hardware / software to stage large scale attacks against other networks and devices.


Pursuant to Verizon's Terms of Service and Acceptable Use Policy, we are asking you to disconnect any such devices from your home or office network. This is an effort to protect your privacy and network. We ask that you contact the manufacturer's support department to determine how to properly secure the device, including closing any network ports on the device(s) exposed to the public Internet. Once fully patched with the most up to date firmware and software, please ensure that you protect access to the device by changing the admin login credentials. Use a strong password for all access points including remote viewing of the cameras. Once that is complete you may return the device to your network.


Should these efforts fail and the device is once again found to be leveraged as an attack host, we will ask for the removal of the device until the vendor can devise an acceptable remediation.


You must take the necessary steps to remove this device from your network as soon as possible. Failure to remove this device is a violation of the Verizon Online Acceptable Use Policy and may result in the following:


- Future suspension and/or termination of your Internet Services.


Additional suggestions and precautions can viewed at verizon.com/securityinfo<http://verizon.com/securityinfo> or visit the website of your hardware vendor.


You may contact Verizon support at 888-553-1555

Verizon will never ask you to provide or verify personal or account information by email.

Thanks for your prompt attention.

Verizon Internet Abuse Investigations Team
22001 Loudoun County Parkway
Ashburn, VA 20147






© 2020 Verizon. All Rights Reserved.

Ensure Verizon emails reach your inbox by adding verizon-notification at verizon.com<mailto:verizon-notification at verizon.com> to your "safe" email list. Your email provider
can provide instructions on how it works.

This email has been sent from an auto-notification system that cannot accept incoming email.

This email was sent to thesanyalfamily at gmail.com<mailto:thesanyalfamily at gmail.com>. We respect your privacy. Please review our Privacy Policy<https://www.verizon.com/about/privacy/> If you think this email was sent in error or you'd like to change how you receive your notification, click here<https://www.verizon.com/privacy/your-data/idp/eud/ln?GUID=aHkTu4k1hPaQumaLjRRtVRUSaUwDZmUsbfsLhFFydaHkTBJ47QUIBiwFTI2DAcDemH2wvwjoTEG7EFn81xrgorO2y9XwnHSxsTHpvCP48%2FAY%2F4h9r4EtUY69Qp3pQKszwl5VpfHr7arsDxdqfk1612Uh9OYNjWXpIPTTQ2Yid7U%3D>





[http://www.verizon.com/econtact/ecrm/EmailTracking.serv?TXID=R20200730_2025674917]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sonic.net/pipermail/hecnet-list/attachments/20200730/c21c31eb/attachment-0001.html>