[HECnet] Verizon Security! Fwd: Security notice
Johnny Billquist
bqt at softjar.se
Thu Jul 30 14:12:23 PDT 2020
Just as a short comment on this (not really helping much, as brain dead
ISPs can't really be helped in any way).
If someone is running an RSX system facing the world, even doing things
like DDOS using SYNs with fake source address will be detected by BQTCP,
and they will be blocked after a few packets. So RSX systems on the
internet in general are not much useful for such abusers.
Mim and Magica are constantly blocking various destinations because of
various abusive patterns.
On Magica, right now, the block list looks like this:
.ifc sho fil
SPOOF filter active. Receiving task is SPOOF
Filter table:
IP Match count
024-183-202-208.res.spectrum.com 441
52.224.95.217 43
dsl-dhcp-katytxxchrc-64-92-46-200.consolidated. 552
ca-east.vpn.courvix.com 76
HoneyPot.alexavpn.com 9
clbaon0201w-grc-13-70-27-59-151.dsl.bell.ca 48
5ad2fc30.bb.sky.com 306
93.186.198.189 14
76.206.16.185.baremetal.zare.com 38
switchess.cc 20
193.33.87.214 117
194.180.224.112 19
The last week or so, Magica have been hammered pretty hard all the time,
and have blocked/dropped about 450.000 packets.
Mim is currently not being hit that much, but have been before.
Johnny
On 2020-07-30 21:43, Keith Halewood wrote:
> Hi,
>
> I assume you have a fixed IP address. In the UK, it seems to be the
> default that fixed IP address => running inbound services of some sort,
> whereas a dynamic IP address comes with assumptions that, at the very
> least, there’ll be nothing outbound to ports like 25.
>
> I have no idea what level of competence Verizon have. What I will do is
> tell you of my experience of running inbound services and why, apart
> from any traffic you think you may be generating/attracting on those
> ports, there may be more happening.
>
> I have a fixed range of IPv4 addresses at home and a 48bit IPv6 prefix.
> NAT and the firewall permit certain inbound connections. As some of you
> HECnet’ers may be aware, I restrict NAT translations on various ports
> through my gateway IP address to small ranges of subnets. This avoids a
> whole load of potential issues and those outside of those subnets do not
> even get to traverse NAT arrangements. Incidentally, I’d love it if this
> were over IPv6.
>
> I have HTTP, HTTPS and VPN inbound traffic over both IPv4 and IPv6 and
> this is necessarily nowhere near as restricted as the HECnet over IP
> connectivity.
>
> Quite a few months ago now, there were consequences associated with this
> thanks to a mixture of nosey so-called internet research companies and
> the relatively cheap resources anyone can acquire from hosting companies
> desperate to attract business.
>
> Internet “research” companies leave quite a few footprints in my router
> logs with port scans. They make their internet “maps” available to their
> clients, some of whom are clearly cyber-criminals.
>
> Cyber criminals hosted in the clouds shovelling out spam is relatively
> easy to deal with and, if you’re persistent enough, reasonably
> straightforward to have evicted.
>
> Those criminals who don’t spam tend to spoof their victims’ IP addresses
> and send my (and possibly your) inbound services a SYN, which my (and
> your) services ACK… to their victims. As I (and possibly you) are just
> one (or two) collateral victims amongst hundreds or thousands, their
> prime victims are flooded – reflective DDOS attacks. It’s even worse if
> you make UDP services available.
>
> My inbound services have been used like this quite a few times in the
> past, as well as simply being the target of attack.
>
> I have had to customise router firmware in some instances and introduce
> semi-‘intelligent’ blocks elsewhere to mitigate most of this.
>
> For example, the firewall never passes the first few SYNs on from any
> inbound connection attempt. You could say this is similar to
> greylisting. Given that reflective DDOS attacks have spoofed their
> source address, there’s no feedback to the bastard initiating the attack
> anyway. So in theory, it is very difficult to co-opt my systems into
> amplifying an attack. For more ‘personal’ attacks, the firewall’s built
> in DOS mitigation, with some additional analysis of its emitted events
> and subsequent blocking can fend off a lot more.
>
> Sorry for the ramble. To cut a long story short, it’s marginally
> possible that Verizon are reacting, in their ham-fisted way, to a load
> of suspicious traffic you’re not even aware that you’re generating. Then
> again, it’s Verizon, so who knows if there’s any logic behind it. Check
> with whatever equivalent of ‘netstat’ you have to see if you have groups
> of 6-10 syn_acks (I think that’s what they are – I’m too lazy to check
> my own source code) to the same outside IP address (and possibly the
> same port, especially if it’s a well-known one like 80, 443, 25, or the
> really dangerous UDP ones like NTP, DNS etc..).
>
> Standing down
>
> Keith
>
> *From:*owner-hecnet at Update.UU.SE [mailto:owner-hecnet at Update.UU.SE] *On
> Behalf Of *Supratim Sanyal
> *Sent:* 30 July 2020 19:15
> *To:* hecnet at Update.UU.SE
> *Subject:* [HECnet] Verizon Security! Fwd: Security notice
>
> Verizon is tightening the screw. I think I will give up now. It was
> explained to me over a telephone call to their security department that
> I cannot have any of the following ports open at home.
>
> 80
>
> 81
>
> 554
>
> 8xxx
>
> 9xxx
>
> *From:* Verizon Notification <verizon-notification at verizon.com
> <mailto:verizon-notification at verizon.com>>
> *Date:* July 30, 2020 at 12:32:48 PM EDT
> *To:* thesanyalfamily at gmail.com <mailto:thesanyalfamily at gmail.com>
> *Subject:* *Security notice*
> *Reply-To:* Verizon Notification <verizon-notification at verizon.com
> <mailto:verizon-notification at verizon.com>>
>
> Verizon <https://www.verizon.com/?lid=//global//residential>
>
>
>
> Hi,
>
> Attention Verizon Customer,
>
>
> Our network monitoring tools have detected significant amounts of
> harmful network traffic coming from your home or office network. It
> is likely that a device within your home or office is infected with
> malware; we believe the device could be a network security camera,
> network video recorder, or similar device.
>
>
> These devices are being targeted by hackers. The hackers are
> leveraging potential security flaws in the hardware / software to
> stage large scale attacks against other networks and devices.
>
>
> Pursuant to Verizon's Terms of Service and Acceptable Use Policy, we
> are asking you to disconnect any such devices from your home or
> office network. This is an effort to protect your privacy and
> network. We ask that you contact the manufacturer's support
> department to determine how to properly secure the device, including
> closing any network ports on the device(s) exposed to the public
> Internet. Once fully patched with the most up to date firmware and
> software, please ensure that you protect access to the device by
> changing the admin login credentials. Use a strong password for all
> access points including remote viewing of the cameras. Once that is
> complete you may return the device to your network.
>
>
> Should these efforts fail and the device is once again found to be
> leveraged as an attack host, we will ask for the removal of the
> device until the vendor can devise an acceptable remediation.
>
>
> You must take the necessary steps to remove this device from your
> network as soon as possible. Failure to remove this device is a
> violation of the Verizon Online Acceptable Use Policy and may result
> in the following:
>
>
> - Future suspension and/or termination of your Internet Services.
>
>
> Additional suggestions and precautions can viewed at
> verizon.com/securityinfo <http://verizon.com/securityinfo> or visit
> the website of your hardware vendor.
>
>
> You may contact Verizon support at 888-553-1555
>
> Verizon will never ask you to provide or verify personal or account
> information by email.
>
> Thanks for your prompt attention.
>
> Verizon Internet Abuse Investigations Team
> 22001 Loudoun County Parkway
> Ashburn, VA 20147
>
> © 2020 Verizon. All Rights Reserved.
>
> Ensure Verizon emails reach your inbox by adding
> verizon-notification at verizon.com
> <mailto:verizon-notification at verizon.com> to your "safe" email list.
> Your email provider
> can provide instructions on how it works.
>
> This email has been sent from an auto-notification system that
> cannot accept incoming email.
>
> This email was sent to thesanyalfamily at gmail.com
> <mailto:thesanyalfamily at gmail.com>. We respect your privacy. Please
> review our Privacy Policy
> <https://www.verizon.com/about/privacy/> If you think this email was
> sent in error or you'd like to change how you receive your
> notification, click here
> <https://www.verizon.com/privacy/your-data/idp/eud/ln?GUID=aHkTu4k1hPaQumaLjRRtVRUSaUwDZmUsbfsLhFFydaHkTBJ47QUIBiwFTI2DAcDemH2wvwjoTEG7EFn81xrgorO2y9XwnHSxsTHpvCP48%2FAY%2F4h9r4EtUY69Qp3pQKszwl5VpfHr7arsDxdqfk1612Uh9OYNjWXpIPTTQ2Yid7U%3D>
>
--
Johnny Billquist || "I'm on a bus
|| on a psychedelic trip
email: bqt at softjar.se || Reading murder books
pdp is alive! || tryin' to stay hip" - B. Idol
More information about the Hecnet-list
mailing list