[nsp-sec] Cisco customers experiencing grief from 212.73.150.63
Smith, Donald
Donald.Smith at CenturyLink.com
Thu Sep 19 17:17:22 EDT 2019
How much of this can be shared?
upstreams might be willing to look at this and perhaps block it?
$ whois -h upstream-whois.cymru.com 212.73.150.63
PEER_AS | IP | AS Name
174 | 212.73.150.63 | COGENT-174 - Cogent Communications, US
2914 | 212.73.150.63 | NTT-COMMUNICATIONS-2914 - NTT America, Inc., US
3356 | 212.73.150.63 | LEVEL3 - Level 3 Parent, LLC, US
6939 | 212.73.150.63 | HURRICANE - Hurricane Electric LLC, US
Traceroute goes through cogentco.
13 189 ms 304 ms 306 ms be2182.ccr41.ams03.atlas.cogentco.com [154.54.77.245]
14 203 ms 306 ms 308 ms be2813.ccr41.fra03.atlas.cogentco.com [130.117.0.122]
15 206 ms 305 ms 306 ms be2959.ccr21.muc03.atlas.cogentco.com [154.54.36.54]
16 468 ms 306 ms 307 ms be2974.ccr51.vie01.atlas.cogentco.com [154.54.58.6]
17 477 ms 307 ms 306 ms be3420.ccr51.beg03.atlas.cogentco.com [130.117.0.70]
18 380 ms 334 ms 279 ms be3421.ccr31.sof02.atlas.cogentco.com [130.117.0.93]
19 456 ms 306 ms 307 ms 149.6.69.178
20 347 ms 173 ms 338 ms v70461.vps-ag.com [212.73.150.63]
We also use ASAs if it is ok to share I can ask our MSS guys if their seeing this too.
Could also run a netflow report see if their hitting our customers.
if (initial_ttl!=255) then (rfc5082_compliant==0)
Donald.Smith at centurylink.com
________________________________________
From: nsp-security [nsp-security-bounces at puck.nether.net] on behalf of Dario Ciccarone (dciccaro) [dciccaro at cisco.com]
Sent: Thursday, September 19, 2019 3:06 PM
To: Barry Greene
Cc: White, Gerard; Nsp-Security List
Subject: Re: [nsp-sec] Cisco customers experiencing grief from 212.73.150.63
----------- nsp-security Confidential --------
Thanks for the suggestion, Barry !
That would seem indeed to be an option. At this point in time, we still hope this to be all a big misunderstanding, and somehow being able to convince whoever is doing it to stop, if we ask them kindly.
But if it doesn't work and the trend of crashed ASAs continue or worsens . . .
Thanks,
Dario
On 9/19/19, 4:39 PM, "Barry Greene" <bgreene at senki.org> wrote:
What if we did an ask to selectively Black Hole 212.73.150.63?
> On Sep 19, 2019, at 1:32 PM, Dario Ciccarone (dciccaro) <dciccaro at cisco.com> wrote:
>
> ----------- nsp-security Confidential --------
>
> Gerard:
>
> Thanks for getting back to me on this !
>
> And thanks for sharing this information - we appreciate the confirmation this activity cannot be considered "benign" or "well intentioned"
>
> We will continue with our attempts to somehow establish a communication channel with this SP, and hopefully get to the bottom of this.
>
> Thanks again,
> Dario
>
>
>
> On 9/19/19, 4:05 PM, "White, Gerard" <gerard.white at bellaliant.ca> wrote:
>
> Greetings.
>
> Definitely not port scanning, this /32 is doing "selective" hits... appears to be operating on a specific "list" of targets. Makes 2 attempts per target using 2 sequential TCP sockets.
>
> GW
>
> -----Original Message-----
> From: nsp-security <nsp-security-bounces at puck.nether.net> On Behalf Of Dario Ciccarone (dciccaro)
> Sent: September-19-19 2:08 PM
> To: nsp-security at puck.nether.net
> Subject: [EXT][nsp-sec] Cisco customers experiencing grief from 212.73.150.63
>
> ----------- nsp-security Confidential --------
>
> Folks:
>
> As the subject says – some of our customers are having a hard time of it thanks to 212.73.150.63. This IP address is connecting to our customers’ ASA devices on port 443/tcp, and triggering CSCvi16029 – which was released as part of a Cisco Security Advisory back in 2018 - https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2ftools.cisco.com%2fsecurity%2fcenter%2fcontent%2fCiscoSecurityAdvisory%2fcisco%2dsa%2d20180606%2dasaftd&umid=4BEE9880-92EE-5805-9071-E197D88C2066&auth=19120be9529b25014b618505cb01789c5433dae7-cc164833e49cb7fe1e8c479771667d538664d106
>
> We have seen a significant spike in crashes in the last two weeks, and TAC has been able to track those down to connections from this IP address. The vulnerability characteristics are such that we can rule out these crash being triggered “by accident” – we are pretty sure these connections are either attempts to find Cisco ASA devices affected by this vulnerability, OR attempts to exploit a similar vulnerability in someone’s else device. But they’re certainly not benign.
>
> We have contacted the abuse contact listed in WHOIS ('abuse at vpsag.com') but we have NOT YET received an answer to our contact attempts. I’m hence reaching out to the nsp-sec constituency with two questions :
>
>
> 1. Is this netblock, or this SP, in any way known for hosting miscreants ? (and yes, we’re also working w/ TALOS on this)
> 2. Does anyone here have a method to reach out the owner of this netblock, which has been tried before and been successful ? Our request would be for this activity to stop, or at least, being able to talk to whoever is sending these probes to try to make them stop. We have seen before similar behavior when universities or individuals attempt Internet-wide scans for “something”, and that something may end triggering a vulnerability in our devices.
>
> Yes, TAC is indicating customers to deploy ACLs to drop connections from this IP address – that still leaves an unknown number of customers open to exploitation: those that have not crashed but will eventually crash when they get their turn.
>
> Thanks in advance for any help you can provide !
>
> Dario
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fpuck.nether.net%2fmailman%2flistinfo%2fnsp%2dsecurity&umid=4BEE9880-92EE-5805-9071-E197D88C2066&auth=19120be9529b25014b618505cb01789c5433dae7-2a74abd7e428e2aafd0d49af128c3028a3d36976
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
> ------------------------------------------------------------------------------
> External Email: Please use caution when opening links and attachments / Courriel externe: Soyez prudent avec les liens et documents joints
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fpuck.nether.net%2fmailman%2flistinfo%2fnsp%2dsecurity&umid=4BEE9880-92EE-5805-9071-E197D88C2066&auth=19120be9529b25014b618505cb01789c5433dae7-2a74abd7e428e2aafd0d49af128c3028a3d36976
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fpuck.nether.net%2fmailman%2flistinfo%2fnsp%2dsecurity&umid=4BEE9880-92EE-5805-9071-E197D88C2066&auth=19120be9529b25014b618505cb01789c5433dae7-2a74abd7e428e2aafd0d49af128c3028a3d36976
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
More information about the nsp-security
mailing list