Hello folks, Before you shoot me with 'wrong mailing list' replies, believe me, I tried, THNOG is dead, APNIC ain't responding either and the ISP's over there don't seem to care much. And I've been looking at this situation for over 2 years now since first incident. I simply hope that with the contacts you folks have due to your professions to be able to help. So, I came across this botnet which decided to pick my IRC network as control center, and I have been digging into them. It turns out that in Thailand, people can easily get cloned modems in order to internet for 'free', it simply boils down to mac cloning, so let me spare you the details. The problem is that these modems also carry a digital STD in the form of additional botnet code, allowing the controllers to do, well, botnet stuff. I disabled their ability to control by glining everything on join to the control channel, and since I am maintainer of DroneBL, add them to the blacklist. Doing that for 2+ years now. The amount of removal requests because people no longer are able to play on cncnet is amazing. My question here kinda is, how to permanently get rid of this evil in an effective way, and who to contact? (yes, I tried to get through to NOC's of the affected providers), or could perhaps someone be so nice to use one of their contacts in Thailand to speed things up? Kind regards, Alexander Maassen Maintainer DroneBL
I don't know what you tried in APNIC, my experience is that they are usually responding very quickly. Have you tried the abuse contacts of the ISP? If they fail, have you tried to escalate to escalation-abuse@apnic.net, following our abuse-mailbox proposal (https://www.apnic.net/wp-content/uploads/2018/08/prop-125-v001.txt), which was adopted long time ago? You could also try the APNIC Talk mailing list. Regards, Jordi @jordipalet El 11/8/20 15:10, "NANOG en nombre de Alexander Maassen" <nanog-bounces+jordi.palet=consulintel.es@nanog.org en nombre de outsider@scarynet.org> escribió: Hello folks, Before you shoot me with 'wrong mailing list' replies, believe me, I tried, THNOG is dead, APNIC ain't responding either and the ISP's over there don't seem to care much. And I've been looking at this situation for over 2 years now since first incident. I simply hope that with the contacts you folks have due to your professions to be able to help. So, I came across this botnet which decided to pick my IRC network as control center, and I have been digging into them. It turns out that in Thailand, people can easily get cloned modems in order to internet for 'free', it simply boils down to mac cloning, so let me spare you the details. The problem is that these modems also carry a digital STD in the form of additional botnet code, allowing the controllers to do, well, botnet stuff. I disabled their ability to control by glining everything on join to the control channel, and since I am maintainer of DroneBL, add them to the blacklist. Doing that for 2+ years now. The amount of removal requests because people no longer are able to play on cncnet is amazing. My question here kinda is, how to permanently get rid of this evil in an effective way, and who to contact? (yes, I tried to get through to NOC's of the affected providers), or could perhaps someone be so nice to use one of their contacts in Thailand to speed things up? Kind regards, Alexander Maassen Maintainer DroneBL ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
On Tue, Aug 11, 2020 at 9:31 AM JORDI PALET MARTINEZ via NANOG <nanog@nanog.org> wrote:
I don't know what you tried in APNIC, my experience is that they are usually responding very quickly.
Have you tried the abuse contacts of the ISP?
For the Thai ISP space you might also get some traction just talking to the thai cert org. h ttps://www.thaicert.or.th/about-en.html perhaps even this path: https://www.thaicert.or.th/report-en.html
If they fail, have you tried to escalate to escalation-abuse@apnic.net, following our abuse-mailbox proposal (https://www.apnic.net/wp-content/uploads/2018/08/prop-125-v001.txt), which was adopted long time ago?
You could also try the APNIC Talk mailing list.
Regards, Jordi @jordipalet
El 11/8/20 15:10, "NANOG en nombre de Alexander Maassen" <nanog-bounces+jordi.palet=consulintel.es@nanog.org en nombre de outsider@scarynet.org> escribió:
Hello folks,
Before you shoot me with 'wrong mailing list' replies, believe me, I tried, THNOG is dead, APNIC ain't responding either and the ISP's over there don't seem to care much. And I've been looking at this situation for over 2 years now since first incident. I simply hope that with the contacts you folks have due to your professions to be able to help.
So, I came across this botnet which decided to pick my IRC network as control center, and I have been digging into them. It turns out that in Thailand, people can easily get cloned modems in order to internet for 'free', it simply boils down to mac cloning, so let me spare you the details. The problem is that these modems also carry a digital STD in the form of additional botnet code, allowing the controllers to do, well, botnet stuff.
I disabled their ability to control by glining everything on join to the control channel, and since I am maintainer of DroneBL, add them to the blacklist. Doing that for 2+ years now. The amount of removal requests because people no longer are able to play on cncnet is amazing.
My question here kinda is, how to permanently get rid of this evil in an effective way, and who to contact? (yes, I tried to get through to NOC's of the affected providers), or could perhaps someone be so nice to use one of their contacts in Thailand to speed things up?
Kind regards,
Alexander Maassen Maintainer DroneBL
********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company
This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
Alexander Maassen wrote:
It turns out that in Thailand, people can easily get cloned modems in order to internet for 'free',
I think you failed to explain that, in Thailand, wiretapping is commonly performed by people illegally having free Internet access, against which MAC address is used, in vain, to identify true users.
it simply boils down to mac cloning,
Of course.
My question here kinda is, how to permanently get rid of this evil in an effective way,
Let access ISPs use TDR (Time Domain Reflectometry) to detect wiretapping, which requires periodic monitoring, which costs. Or, though less elegantly, password protection by something like PPPoE may work, which requires initial cost to change equipment. Anyway, preventing free riding should increase revenue of the ISPs.
and who to contact?
ISPs who want to protect paying customers (maybe, partly from your blacklisting).
(yes, I tried to get through to NOC's of the affected providers),
ISPs can do nothing, unless they know how to prevent free riding by wiretapping without harming paying customers. Masataka Ohta
participants (4)
-
Alexander Maassen
-
Christopher Morrow
-
JORDI PALET MARTINEZ
-
Masataka Ohta