Re: Question regarding AS205092 and AS210180

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 1840 bytes --]

Hey,

On Sun, 2018-11-25 at 21:20 +0100, Peter Müller wrote:
> Hello,
> 
> at some point since late summer this year, I observe an usual high amount
> of attacks (mainly SSH brute force) against several system I own or
> administer.
> 
> Origin of these are AS205092 (OUTSOURCE GRID LIMITED) and AS210180
> (PRISM BUSINESS SERVICES LTD). Both own just a single /24 IPv4 range each,
> and are connected to just one (little known) peer.
> 
> AS205092 claims to be located in GB, and its postal address points to
> a dilapidated building somewhere in West Midlands (116 Bloomfield Road,
> Tipton, DY4 9ES).
> Only some of the assigned IPv4 addresses were conspicuous by attacks,
> and are mostly listed at Spamhaus XBL, too. The full range is 185.222.211.0/24
> .
> 
> AS210180 has set VE (Venezuela) as geographic location, which also matches
> the postal address. However, its full appeareance leaves doubts whether
> this is correct or not - a website mentioned in the RIR object claims
> an offshore location as office address, with telephone number in US.
> Its IPv4 range (185.222.210.0/24) is also listed as prefix for AS49877
> (RM Engineering LLC).
> 
> Both AS claim to provide hosting services, and look highly suspicious
> (bad upstream connectivity, dubious contact/postal addresses, similar
> BGP setup). While it is not mentioned anywhere they are just another
> two rogue ISPs, they would perfectly fit the bill.
> 
> Is anybody observing attacks from these too or is in possession of further
> details (exact location, purpose, history, connection between AS210180
> and AS49877)?

No, I did not observe anything although I am usually not paying too much
attention to these things :)

-Michael

> 
> Please drop me a line. :-)
> 
> Thank you, and best regards,
> Peter Müller