[nsp-sec] Cisco customers experiencing grief from 212.73.150.63
Damian Menscher
damian at google.com
Fri Sep 20 01:44:24 EDT 2019
vpsag/redcluster appears to be a reseller of belcloud.net (AS44901). If
this is truly urgent it may be worth contacting them:
https://bgp.he.net/AS44901#_whois
Damian
On Thu, Sep 19, 2019 at 10:31 PM Hank Nussbacher <hank at efes.iucc.ac.il>
wrote:
> ----------- nsp-security Confidential --------
>
> On 20/09/2019 06:27, Dario Ciccarone (dciccaro) wrote:
>
> From:
>
> https://marketersmedia.com/redcluster-acquires-leading-cloud-computing-company-vpsag/430585
>
> "All press enquiries should be directed to Cristian Ionescu at
> +357.960.768.77 or via email at admin at redcluster.org. Postal queries can
> be sent to Flat 102, Patron 6, Larnaca, 6051, Cyprus. "
>
> -Hank
>
> > ----------- nsp-security Confidential --------
> >
> > We have already, multiple times - no answer.
> >
> > We plan to continue nagging them - but based on the data collected so
> far, I think it unlikely they're blind to the kind of activity that is
> going on within their network space. I would instead think they're very
> much aware of it, and may even be participants or partners on it.
> >
> >
> > On 9/19/19, 8:09 PM, "Tim April" <tapril at people.ops-trust.net> wrote:
> >
> > Long short, has anyone tried the abuse contact in whois to see if
> they can take a look at the machine?
> >
> > > % Abuse contact for '212.73.150.0 - 212.73.150.255' is '
> abuse at vpsag.com'
> >
> > --tim
> >
> > On 19 Sep 2019, at 14:17, Smith, Donald wrote:
> >
> > > ----------- nsp-security Confidential --------
> > >
> > > How much of this can be shared?
> > >
> > > upstreams might be willing to look at this and perhaps block it?
> > >
> > > $ whois -h upstream-whois.cymru.com 212.73.150.63
> > > PEER_AS | IP | AS Name
> > > 174 | 212.73.150.63 | COGENT-174 - Cogent Communications, US
> > > 2914 | 212.73.150.63 | NTT-COMMUNICATIONS-2914 - NTT America,
> Inc., US
> > > 3356 | 212.73.150.63 | LEVEL3 - Level 3 Parent, LLC, US
> > > 6939 | 212.73.150.63 | HURRICANE - Hurricane Electric LLC, US
> > >
> > >
> > > Traceroute goes through cogentco.
> > > 13 189 ms 304 ms 306 ms be2182.ccr41.ams03.atlas.cogentco.com
> [154.54.77.245]
> > > 14 203 ms 306 ms 308 ms be2813.ccr41.fra03.atlas.cogentco.com
> [130.117.0.122]
> > > 15 206 ms 305 ms 306 ms be2959.ccr21.muc03.atlas.cogentco.com
> [154.54.36.54]
> > > 16 468 ms 306 ms 307 ms be2974.ccr51.vie01.atlas.cogentco.com
> [154.54.58.6]
> > > 17 477 ms 307 ms 306 ms be3420.ccr51.beg03.atlas.cogentco.com
> [130.117.0.70]
> > > 18 380 ms 334 ms 279 ms be3421.ccr31.sof02.atlas.cogentco.com
> [130.117.0.93]
> > > 19 456 ms 306 ms 307 ms 149.6.69.178
> > > 20 347 ms 173 ms 338 ms v70461.vps-ag.com [212.73.150.63]
> > >
> > >
> > > We also use ASAs if it is ok to share I can ask our MSS guys if
> their seeing this too.
> > > Could also run a netflow report see if their hitting our
> customers.
> > >
> > >
> > > if (initial_ttl!=255) then (rfc5082_compliant==0)
> > > Donald.Smith at centurylink.com
> > >
> > > ________________________________________
> > > From: nsp-security [nsp-security-bounces at puck.nether.net] on
> behalf of Dario Ciccarone (dciccaro) [dciccaro at cisco.com]
> > > Sent: Thursday, September 19, 2019 3:06 PM
> > > To: Barry Greene
> > > Cc: White, Gerard; Nsp-Security List
> > > Subject: Re: [nsp-sec] Cisco customers experiencing grief from
> 212.73.150.63
> > >
> > > ----------- nsp-security Confidential --------
> > >
> > > Thanks for the suggestion, Barry !
> > >
> > > That would seem indeed to be an option. At this point in time, we
> still hope this to be all a big misunderstanding, and somehow being able to
> convince whoever is doing it to stop, if we ask them kindly.
> > >
> > > But if it doesn't work and the trend of crashed ASAs continue or
> worsens . . .
> > >
> > > Thanks,
> > > Dario
> > >
> > > On 9/19/19, 4:39 PM, "Barry Greene" <bgreene at senki.org> wrote:
> > >
> > >
> > > What if we did an ask to selectively Black Hole 212.73.150.63?
> > >
> > >
> > > > On Sep 19, 2019, at 1:32 PM, Dario Ciccarone (dciccaro) <
> dciccaro at cisco.com> wrote:
> > > >
> > > > ----------- nsp-security Confidential --------
> > > >
> > > > Gerard:
> > > >
> > > > Thanks for getting back to me on this !
> > > >
> > > > And thanks for sharing this information - we appreciate
> the confirmation this activity cannot be considered "benign" or "well
> intentioned"
> > > >
> > > > We will continue with our attempts to somehow establish a
> communication channel with this SP, and hopefully get to the bottom of this.
> > > >
> > > > Thanks again,
> > > > Dario
> > > >
> > > >
> > > >
> > > > On 9/19/19, 4:05 PM, "White, Gerard" <
> gerard.white at bellaliant.ca> wrote:
> > > >
> > > > Greetings.
> > > >
> > > > Definitely not port scanning, this /32 is doing
> "selective" hits... appears to be operating on a specific "list" of
> targets. Makes 2 attempts per target using 2 sequential TCP sockets.
> > > >
> > > > GW
> > > >
> > > > -----Original Message-----
> > > > From: nsp-security <nsp-security-bounces at puck.nether.net>
> On Behalf Of Dario Ciccarone (dciccaro)
> > > > Sent: September-19-19 2:08 PM
> > > > To: nsp-security at puck.nether.net
> > > > Subject: [EXT][nsp-sec] Cisco customers experiencing
> grief from 212.73.150.63
> > > >
> > > > ----------- nsp-security Confidential --------
> > > >
> > > > Folks:
> > > >
> > > > As the subject says – some of our
> customers are having a hard time of it thanks to 212.73.150.63. This IP
> address is connecting to our customers’ ASA devices on port 443/tcp, and
> triggering CSCvi16029 – which was released as part of a Cisco Security
> Advisory back in 2018 -
> https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2ftools.cisco.com%2fsecurity%2fcenter%2fcontent%2fCiscoSecurityAdvisory%2fcisco%2dsa%2d20180606%2dasaftd&umid=4BEE9880-92EE-5805-9071-E197D88C2066&auth=19120be9529b25014b618505cb01789c5433dae7-cc164833e49cb7fe1e8c479771667d538664d106
> > > >
> > > > We have seen a significant spike in
> crashes in the last two weeks, and TAC has been able to track those down to
> connections from this IP address. The vulnerability characteristics are
> such that we can rule out these crash being triggered “by accident” – we
> are pretty sure these connections are either attempts to find Cisco ASA
> devices affected by this vulnerability, OR attempts to exploit a similar
> vulnerability in someone’s else device. But they’re certainly not benign.
> > > >
> > > > We have contacted the abuse contact
> listed in WHOIS ('abuse at vpsag.com') but we have NOT YET received an
> answer to our contact attempts. I’m hence reaching out to the nsp-sec
> constituency with two questions :
> > > >
> > > >
> > > > 1. Is this netblock, or this SP, in any way known for
> hosting miscreants ? (and yes, we’re also working w/ TALOS on this)
> > > > 2. Does anyone here have a method to reach out the
> owner of this netblock, which has been tried before and been successful ?
> Our request would be for this activity to stop, or at least, being able to
> talk to whoever is sending these probes to try to make them stop. We have
> seen before similar behavior when universities or individuals attempt
> Internet-wide scans for “something”, and that something may end triggering
> a vulnerability in our devices.
> > > >
> > > > Yes, TAC is indicating customers to deploy ACLs to drop
> connections from this IP address – that still leaves an unknown number of
> customers open to exploitation: those that have not crashed but will
> eventually crash when they get their turn.
> > > >
> > > > Thanks in advance for any help you can provide !
> > > >
> > > > Dario
> > > >
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > nsp-security mailing list
> > > > nsp-security at puck.nether.net
> > > >
> https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fpuck.nether.net%2fmailman%2flistinfo%2fnsp%2dsecurity&umid=4BEE9880-92EE-5805-9071-E197D88C2066&auth=19120be9529b25014b618505cb01789c5433dae7-2a74abd7e428e2aafd0d49af128c3028a3d36976
> > > >
> > > > Please do not Forward, CC, or BCC this E-mail outside of
> the nsp-security community. Confidentiality is essential for effective
> Internet security counter-measures.
> > > > _______________________________________________
> > > >
> ------------------------------------------------------------------------------
> > > > External Email: Please use caution when opening links
> and attachments / Courriel externe: Soyez prudent avec les liens et
> documents joints
> > > >
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > nsp-security mailing list
> > > > nsp-security at puck.nether.net
> > > >
> https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fpuck.nether.net%2fmailman%2flistinfo%2fnsp%2dsecurity&umid=4BEE9880-92EE-5805-9071-E197D88C2066&auth=19120be9529b25014b618505cb01789c5433dae7-2a74abd7e428e2aafd0d49af128c3028a3d36976
> > > >
> > > > Please do not Forward, CC, or BCC this E-mail outside of
> the nsp-security
> > > > community. Confidentiality is essential for effective
> Internet security counter-measures.
> > > > _______________________________________________
> > >
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > nsp-security mailing list
> > > nsp-security at puck.nether.net
> > >
> https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fpuck.nether.net%2fmailman%2flistinfo%2fnsp%2dsecurity&umid=4BEE9880-92EE-5805-9071-E197D88C2066&auth=19120be9529b25014b618505cb01789c5433dae7-2a74abd7e428e2aafd0d49af128c3028a3d36976
> > >
> > > Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> > > community. Confidentiality is essential for effective Internet
> security counter-measures.
> > > _______________________________________________
> > > This communication is the property of CenturyLink and may contain
> confidential or privileged information. Unauthorized use of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please immediately notify the sender
> by reply e-mail and destroy all copies of the communication and any
> attachments.
> > >
> > >
> > > _______________________________________________
> > > nsp-security mailing list
> > > nsp-security at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/nsp-security
> > >
> > > Please do not Forward, CC, or BCC this E-mail outside of the
> nsp-security
> > > community. Confidentiality is essential for effective Internet
> security counter-measures.
> > > _______________________________________________
> >
> >
> >
> >
> > _______________________________________________
> > nsp-security mailing list
> > nsp-security at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/nsp-security
> >
> > Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> > community. Confidentiality is essential for effective Internet security
> counter-measures.
> > _______________________________________________
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
>
More information about the nsp-security
mailing list