From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Question regarding AS205092 and AS210180 Date: Tue, 27 Nov 2018 10:12:50 +0000 Message-ID: In-Reply-To: <58a82937-3d3e-8253-76e5-3dd4d51c55db@link38.eu> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============9064160728081663909==" List-Id: --===============9064160728081663909== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hey, On Sun, 2018-11-25 at 21:20 +0100, Peter M=C3=BCller wrote: > Hello, >=20 > at some point since late summer this year, I observe an usual high amount > of attacks (mainly SSH brute force) against several system I own or > administer. >=20 > Origin of these are AS205092 (OUTSOURCE GRID LIMITED) and AS210180 > (PRISM BUSINESS SERVICES LTD). Both own just a single /24 IPv4 range each, > and are connected to just one (little known) peer. >=20 > AS205092 claims to be located in GB, and its postal address points to > a dilapidated building somewhere in West Midlands (116 Bloomfield Road, > Tipton, DY4 9ES). > Only some of the assigned IPv4 addresses were conspicuous by attacks, > and are mostly listed at Spamhaus XBL, too. The full range is 185.222.211.0= /24 > . >=20 > AS210180 has set VE (Venezuela) as geographic location, which also matches > the postal address. However, its full appeareance leaves doubts whether > this is correct or not - a website mentioned in the RIR object claims > an offshore location as office address, with telephone number in US. > Its IPv4 range (185.222.210.0/24) is also listed as prefix for AS49877 > (RM Engineering LLC). >=20 > Both AS claim to provide hosting services, and look highly suspicious > (bad upstream connectivity, dubious contact/postal addresses, similar > BGP setup). While it is not mentioned anywhere they are just another > two rogue ISPs, they would perfectly fit the bill. >=20 > Is anybody observing attacks from these too or is in possession of further > details (exact location, purpose, history, connection between AS210180 > and AS49877)? No, I did not observe anything although I am usually not paying too much attention to these things :) -Michael >=20 > Please drop me a line. :-) >=20 > Thank you, and best regards, > Peter M=C3=BCller --===============9064160728081663909==--