On Tue, Mar 4, 2014 at 5:46 AM, fmm <vovan@fakmoymozg.ru> wrote:
On Tue, 04 Mar 2014 09:00:18 +0100, Jay Ashworth <jra@baylink.com> wrote:
http://arstechnica.com/security/2014/03/hackers-hijack-300000-plus-wireless-...
Is there any valid reason not to black hole those /32s on the back bone?
The telltale sign a router has been compromised is DNS settings that have been changed to 5.45.75.11 and 5.45.76.36. Team Cymru researchers contacted the provider that hosts those two IP addresses but have yet to receive a response.
you wanted to say "blackhole those 5.45.72.0/22 and 5.45.76.0/22", aren't you?
Cheers
Jay is right, it is just the /32s at the moment... Dropping the /22s could cause other sites to be blocked. inetnum: 5.45.72.0 - 5.45.75.255 netname: INFERNO-NL-DE descr: ******************************************************** descr: * We provide virtual and dedicated servers on this Subnet. descr: * descr: * Those services are self managed by our customers descr: * therefore, we are not using this IP space ourselves descr: * and it could be assigned to various end customers. descr: * descr: * In case of issues related with SPAM, Fraud, descr: * Phishing, DDoS, portscans or others, descr: * feel free to contact us with relevant info descr: * and we will shut down this server: abuse@3nt.com descr: ******************************************************** country: NL admin-c: TNTS-RIPE tech-c: TNTS-RIPE status: ASSIGNED PA mnt-by: MNT-3NT mnt-routes: serverius-mnt source: RIPE # Filtered -- ~ Andrew "lathama" Latham lathama@gmail.com http://lathama.net ~