Hi All, Lately we have seen a lot of attacks from IPs where the PTR record ends in poneytelecom.eu to PBX systems. A quick search on twitter ( https://twitter.com/hashtag/poneytelecom) shows multiple people complaining that they reported the IP's yet nothing happens. Has anyone had the pleasure of dealing with them and have you gotten anywhere? I wonder if the only option is public shaming. I would rather not ban their AS as it may hurt legit traffic but I am out of ideas at this point.... TIA. Dovid
Have you emailed their abuse or NOC teams with the attack logs from their IPs? Sometimes ISP servers or their customer CPEs are compromised without their knowledge. On Wed, 3 Jan 2018 at 1:56 pm, Dovid Bender <dovid@telecurve.com> wrote:
Hi All,
Lately we have seen a lot of attacks from IPs where the PTR record ends in poneytelecom.eu to PBX systems. A quick search on twitter ( https://twitter.com/hashtag/poneytelecom) shows multiple people complaining that they reported the IP's yet nothing happens. Has anyone had the pleasure of dealing with them and have you gotten anywhere? I wonder if the only option is public shaming.
I would rather not ban their AS as it may hurt legit traffic but I am out of ideas at this point....
TIA.
Dovid
Dovid, Back in September, I documented my poor experience with AS12876 here: https://badpackets.net/ongoing-large-scale-sip-attack- campaign-coming-from-online-sas-as12876/ Since then, their handling of abuse notifications (or lack thereof) has largely remained the same. The volume of malicious traffic from their network hasn't decreased either. As you noted, others have reported similar issues with AS12876, including my associate Dr. Neal Krawetz: https://twitter.com/h ackerfactor/status/932593355648667649. I've also compiled a list of complaints regarding AS12876 in this thread: https://twitter.com/ba d_packets/status/937220987371732992 Thanks, __ *Troy Mursch* @bad_packets <https://twitter.com/bad_packets> On Tue, Jan 2, 2018 at 6:51 PM, Dovid Bender <dovid@telecurve.com> wrote:
Hi All,
Lately we have seen a lot of attacks from IPs where the PTR record ends in poneytelecom.eu to PBX systems. A quick search on twitter ( https://twitter.com/hashtag/poneytelecom) shows multiple people complaining that they reported the IP's yet nothing happens. Has anyone had the pleasure of dealing with them and have you gotten anywhere? I wonder if the only option is public shaming.
I would rather not ban their AS as it may hurt legit traffic but I am out of ideas at this point....
TIA.
Dovid
On Tue, Jan 02, 2018 at 11:35:14PM -0800, Troy Mursch wrote:
Back in September, I documented my poor experience with AS12876 here:
[snip] That AS has been originating brute-force attacks against ssh, pop, imap, etc. for at least four years (and likely longer, but I didn't have older logs handy). It's also a persistent high-volume source of spam. Its operators are either thoroughly incompetent or fully complicit; there's no way to tell from outside and operationally, it makes no difference. So at minimum I recommend blocking all connections from it to authenticated services and refusing all SMTP traffic from rev.poneytelecom.eu and rev.cloud.scaleway.com. ---rsk
AS12876 is online.net... home of the €2.99 physical server, perfect for all of your favorite illegitimate activity. I’m curious how much traffic originates from that ASN that is actually legitimate... probably close to none. Sent from my iPhone
On Jan 3, 2018, at 1:35 AM, Troy Mursch <troy@wolvtech.com> wrote:
Dovid,
Back in September, I documented my poor experience with AS12876 here: https://badpackets.net/ongoing-large-scale-sip-attack- campaign-coming-from-online-sas-as12876/ Since then, their handling of abuse notifications (or lack thereof) has largely remained the same. The volume of malicious traffic from their network hasn't decreased either.
As you noted, others have reported similar issues with AS12876, including my associate Dr. Neal Krawetz: https://twitter.com/h ackerfactor/status/932593355648667649. I've also compiled a list of complaints regarding AS12876 in this thread: https://twitter.com/ba d_packets/status/937220987371732992
Thanks, __
*Troy Mursch*
@bad_packets <https://twitter.com/bad_packets>
On Tue, Jan 2, 2018 at 6:51 PM, Dovid Bender <dovid@telecurve.com> wrote:
Hi All,
Lately we have seen a lot of attacks from IPs where the PTR record ends in poneytelecom.eu to PBX systems. A quick search on twitter ( https://twitter.com/hashtag/poneytelecom) shows multiple people complaining that they reported the IP's yet nothing happens. Has anyone had the pleasure of dealing with them and have you gotten anywhere? I wonder if the only option is public shaming.
I would rather not ban their AS as it may hurt legit traffic but I am out of ideas at this point....
TIA.
Dovid
Quite a lot actually. Those servers are fine seedboxes. People also use them for media storage, i.e. online galleries and smaller video streaming sites. Filip
On 4 Jan 2018 at 6:46 am, <Tim Burke> wrote:
AS12876 is online.net... home of the €2.99 physical server, perfect for all of your favorite illegitimate activity. I’m curious how much traffic originates from that ASN that is actually legitimate... probably close to none. Sent from my iPhone > On Jan 3, 2018, at 1:35 AM, Troy Mursch wrote: > > Dovid, > > Back in September, I documented my poor experience with AS12876 here: > https://badpackets.net/ongoing-large-scale-sip-attack- > campaign-coming-from-online-sas-as12876/ > Since then, their handling of abuse notifications (or lack thereof) has > largely remained the same. The volume of malicious traffic from their > network hasn't decreased either. > > As you noted, others have reported similar issues with AS12876, including > my associate Dr. Neal Krawetz: https://twitter.com/h > ackerfactor/status/932593355648667649. I've also compiled a list of > complaints regarding AS12876 in this thread: https://twitter.com/ba > d_packets/status/937220987371732992 > > > Thanks, > __ > > *Troy Mursch* > > @bad_packets > >> On Tue, Jan 2, 2018 at 6:51 PM, Dovid Bender wrote: >> >> Hi All, >> >> Lately we have seen a lot of attacks from IPs where the PTR record ends in >> poneytelecom.eu to PBX systems. A quick search on twitter ( >> https://twitter.com/hashtag/poneytelecom) shows multiple people >> complaining >> that they reported the IP's yet nothing happens. Has anyone had the >> pleasure of dealing with them and have you gotten anywhere? I wonder if the >> only option is public shaming. >> >> I would rather not ban their AS as it may hurt legit traffic but I am out >> of ideas at this point.... >> >> TIA. >> >> Dovid >>
Depends on what "legitimate" means. We have a decent amount of traffic to the network (like 2Gbps sustained in any afternoon). Its typically a mix of bittorrent, tor-relay traffic, ftp-transfers and of course the expected scanners, malware-hosts, ddos-bots and such. For me Poney/Illiad/Online.net/Scaleway has always been a bulletproof hoster (or bulletproof transit even), the response to abuse has always been NIL. I know tons of my customers just blocks out their whole ip-ranges in their SIP-servers and email-machines to lessen the white-noise. However - judging from the Online.net website it atleast seems that they are trying to up their game and look like something that would be attractive to a legitimate business to consider. On the other hand, looking at http://as12876.net/ it looks more like something that would rather fit as a place where i put the shady stuff, so not sure where on the map they fall these days.
AS12876 is online.net... home of the €2.99 physical server, perfect for all of your favorite illegitimate activity. I’m curious how much traffic originates from that ASN that is actually legitimate... probably close to none.
Sent from my iPhone
On Jan 3, 2018, at 1:35 AM, Troy Mursch <troy@wolvtech.com> wrote:
Dovid,
Back in September, I documented my poor experience with AS12876 here: https://badpackets.net/ongoing-large-scale-sip-attack- campaign-coming-from-online-sas-as12876/ Since then, their handling of abuse notifications (or lack thereof) has largely remained the same. The volume of malicious traffic from their network hasn't decreased either.
As you noted, others have reported similar issues with AS12876, including my associate Dr. Neal Krawetz: https://twitter.com/h ackerfactor/status/932593355648667649. I've also compiled a list of complaints regarding AS12876 in this thread: https://twitter.com/ba d_packets/status/937220987371732992
Thanks, __
*Troy Mursch*
@bad_packets <https://twitter.com/bad_packets>
On Tue, Jan 2, 2018 at 6:51 PM, Dovid Bender <dovid@telecurve.com> wrote:
Hi All,
Lately we have seen a lot of attacks from IPs where the PTR record ends in poneytelecom.eu to PBX systems. A quick search on twitter ( https://twitter.com/hashtag/poneytelecom) shows multiple people complaining that they reported the IP's yet nothing happens. Has anyone had the pleasure of dealing with them and have you gotten anywhere? I wonder if the only option is public shaming.
I would rather not ban their AS as it may hurt legit traffic but I am out of ideas at this point....
TIA.
Dovid
-- hugge
On Thu, Jan 04, 2018 at 09:15:19AM +0100, Fredrik Korsb??ck wrote:
For me Poney/Illiad/Online.net/Scaleway has always been a bulletproof hoster (or bulletproof transit even), the response to abuse has always been NIL.
They're still a bulletproof hoster, and they fully support, endorse, and encourage abuse. Not that we really need any more evidence, since they've been furnishing it for years, but this (below) caught my attention this morning. ---rsk
From: Sam <sam@email-scan.com> Newsgroups: news.admin.net-abuse.email Subject: Clue level of online.net has been established Date: Mon, 08 Jan 2018 06:24:36 -0500
The following E-mail response firmly establishes the clue level of this outfit:
From: noreply@online.net To: postmaster@email-scan.com Subject: [Online] Abuse #200181 - abuse for failover ip address 212.129.49.22 resolved
ONLINE SAS Technical assistance BP 438 - 75366 Paris CEDEX 08 France
Tel: 01 84 13 00 00
Subject : Abuse notification resolved
Dear Sir or Madam,
Your abuse number 200181 is now closed.
Here is a comment left by our customer: ----------------------------------------------------------------
not spam, marketing mail only
----------------------------------------------------------------
If you have any questions, please contact our assistance https://console.online.net/assistance/
Best regards,
Most VPS / hosting abuse departments are understaffed (if they exist at all), and even when they do dig in, the last thing most of them want to do with razor thin margins is to shut off a paying customer unless they REALLY REALLY have to. Noe of this should be a surprise. On Sat, Jan 13, 2018 at 8:49 AM, Rich Kulawiec <rsk@gsp.org> wrote:
On Thu, Jan 04, 2018 at 09:15:19AM +0100, Fredrik Korsb??ck wrote:
For me Poney/Illiad/Online.net/Scaleway has always been a bulletproof hoster (or bulletproof transit even), the response to abuse has always been NIL.
They're still a bulletproof hoster, and they fully support, endorse, and encourage abuse. Not that we really need any more evidence, since they've been furnishing it for years, but this (below) caught my attention this morning.
---rsk
From: Sam <sam@email-scan.com> Newsgroups: news.admin.net-abuse.email Subject: Clue level of online.net has been established Date: Mon, 08 Jan 2018 06:24:36 -0500
The following E-mail response firmly establishes the clue level of this outfit:
From: noreply@online.net To: postmaster@email-scan.com Subject: [Online] Abuse #200181 - abuse for failover ip address 212.129.49.22 resolved
ONLINE SAS Technical assistance BP 438 - 75366 Paris CEDEX 08 France
Tel: 01 84 13 00 00
Subject : Abuse notification resolved
Dear Sir or Madam,
Your abuse number 200181 is now closed.
Here is a comment left by our customer: ----------------------------------------------------------------
not spam, marketing mail only
----------------------------------------------------------------
If you have any questions, please contact our assistance https://console.online.net/assistance/
Best regards,
On 01/03/2018 09:46 PM, Tim Burke wrote:
AS12876 is online.net... home of the €2.99 physical server, perfect for all of your favorite illegitimate activity. I’m curious how much traffic originates from that ASN that is actually legitimate... probably close to none.
SETI at home? Bitcoin mining?
On Thu, Jan 4, 2018, at 06:46, Tim Burke wrote:
AS12876 is online.net... home of the €2.99 physical server, perfect for all of your favorite illegitimate activity. I’m curious how much traffic originates from that ASN that is actually legitimate... probably close to none.
For you, in US, probably not so much, but you should really check. For us, here in France, Online is one of the 2 top hosting providers (they even have several neutral datacenters where they lease racks/cages/datarooms) with a quite enough of legitimate traffic. I say enough, since 10's of MBps of traffic to classic (locally) well-known sites is easily hidden by spikes due to file transfer (they are also popular here for hosting private off-site backups - they actually even have an archiving service) or bittorrent. I also saw a mention of Iliad, their parent company, stock-listed (ILD on EuroNext Paris), as "buletproof hosting". You should note that they also own one of the top 4 ISPs here in France and one of the 4 frequence-owning mobile operators. But those run each on separate networks. One should probably do some minimal research on non-US companies before accusing. PS: No, I don't work for them. Just happen to be personally a customer of 3 of the Iliad-owned companies (Online.net being one of them).
participants (10)
-
Ahad Aboss -
Dovid Bender -
Filip Hruska -
Fredrik Korsbäck -
Radu-Adrian Feurdean -
Rich Kulawiec -
Stephen Satchell -
Tim Burke -
Tom Beecher -
Troy Mursch