Remove IP

[bearded]

Леонид, будьте добры, уберите IP из своей зоны, IP не ваш и это приводит к проблемам на Leaseweb.

Благодаря отчету испанской компании CERTSI, Leaseweb считает что этот IP участвует в ботнете.

We kindly urge you to take appropriate remedial action to ensure that the reported content is removed and/or the reported activity is ceased before the following deadline: [June 16th at 10:10:22 UTC].

Please note that failure to take timely action may, without any further warning, result in an IP block of the reported IP address or a complete suspension and/or termination of your account with LeaseWeb Netherlands B.V..

Жалоба отправленная в Leaseweb:

Dear Team,

CERTSI has detected some domain names that seem to be using Fast-Flux techniques[1] pointing to machines under your constituency, which may be members of a botnet.

As you are probably aware, Fast Flux botnets are built upon a network of compromised machines in order to provide better reliability to their evil deeds.
We can only infer that the detected domains are indeed fast flux domains from the DNS resolution. However, finding its IP address belonging to a fast flux domain is a strong indicator that a given host is compromised (or has been in the past, sometimes the evildoer fails to promptly remove the ip from the fast flux domain).

We recommend you to enquiry the customer whether he recognizes the domain as one they own/provide a service to. In case he doesn't, the host should probably be considered compromised, and appropiate measures taken to clean it and ensure it doesn't get compromised again.

At the bottom of this email you can find the information, concerning the hosts under your constituency that have been gathered since our last notification, as well as attached for your convenience.

The file is formatted as follows:

[Timestamp] [IP] [Domain] [Country] [AS]

**Timestamp format is dd/mm/yyyy hh:mm:ss UTC**

As this information is collected from public services, you can share it with other involved entities (like ISPs, CERTs or other companies).

We hope this information regarding the security of your customers/clients results useful for you. In case of further questions, or if you need any help on this issue, please feel free to contact us at <incidencias@certsi.es>.

You can contact us if you detect any fraudulent activity under a .es domain or related with Spanish resources, and we would try to help you to solve it.

Thank you.
Best Regards,

1- https://en.wikipedia.org/wiki/Fast_flux

-- 
CERTSI (CERT de Seguridad e Industria) - Spanish Security and Industry Incident Response Team
https://www.certsi.es/

https://www.certsi.es/en/what-is-certsi/pgp-public-keys
------------------------------------------------------------------------------
...
2017-06-15 09:04:37	***CENSORED***	1x1513.com	NL	60781	LEASEWEB-NL LeaseWeb Netherlands B.V.
2017-06-15 08:29:11	***CENSORED***	1x1513.com	NL	60781	LEASEWEB-NL LeaseWeb Netherlands B.V.
2017-06-15 09:04:37	***CENSORED***	1x1513.com	NL	60781	LEASEWEB-NL LeaseWeb Netherlands B.V.
2017-06-15 07:52:33	37.48.115.29	1x1513.com	NL	60781	LEASEWEB-NL LeaseWeb Netherlands B.V.
...

[darkk]

Этот IP-адрес есть в явном виде в реестре:

$ grep --text 37.48.115.29 dump.csv  | iconv -f cp1251
37.1.200.171 | 37.48.115.29 | 37.48.67.136 | 37.48.87.132 | 46.165.253.164;cazino-cristall.net;http://cazino-cristall.net/;ФНС;2-6-27/    2016-03-29-47-АИ;2016-03-30

Я тоже получил подобный автоматический abuse от Испанского CERT, который мне переслала техподдержка linode.

Техподдержке было достаточно такого ответа, чтоб признать это письмо ложным срабатыванием автоматики испанского CERT.

It's ongoing experiment with DNS infrastucture.

1x1513.com domain is included in the blacklist distributed by Russian Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications[1] to ISPs to block traffic towards this domain.
This domain expired and I registered it couple of days ago (that can be confirmed through whois query), it's served from rnd-zone.darkk.net.ru VM.
Every query to this domain is logged in pcap file and files will be published as soon as experiment ends.
The experiment tries to understand the risk of routing table overflow happending at IP transit provides as control over this domain MAY allow injections of /32 routes to RIBs.

This domain points to 2048 random IP addresses from the blacklist (to avoid RIB pollution) and 1 IP address of my own VM to verify if traffic to that VM is routed differently.

Also, there is no fast-flux technique used, the domain has 2049 A records, but all these records are static.
Configuration files for this domain are published at https://github.com/darkk/where-is-resolver/

[1] https://en.wikipedia.org/wiki/Roscomnadzor

Дедлайн, установленный LeaseWeb уже на два с половиной часа просрочен.

Можете переслать мой ответ техподдержке LeaseWeb? Я полагаю, им будет этого ответа достаточно.

Мне не хотелось бы править зону как раз чтоб не стриггерить ещё больше срабатываний вида "а-а-а-а, IP-адреса таки меняются!", поэтому прошу перенаправить эту информацию с LeaseWeb и, если от них не будет положительного ответа, приложить сюда их ответ для истоии и я поправлю файл зоны на другой случайный IP-адрес из реестра.

[darkk]

@bearded LeaseWeb что-то ответили?

[bearded]

Сегодня утром им написал, еще ничего не ответили, и судя по всему вряд ли ответят.
Я им описал ситуацию до того как нашел этот эксперимент, и пометил жалобу как ложную, на что они ничего не отписали, но и сервер не отключили.

IP можно не удалять, этот сервер мы решили заменить.