Re: Paging Unified Layer/AS46606 in re: NET-162-240-0-0-1 (162.240.0.0/15)

[Mike Hammett via NANOG <nanog () lists nanog org>]

Until it isn't.



----- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 


----- Original Message -----
From: "Josh Luthman" <josh () imaginenetworksllc com>
To: "North American Network Operators Group" <nanog () lists nanog org>
Cc: "Mike Hammett" <nanog () ics-il net>
Sent: Thursday, September 4, 2025 8:43:37 AM
Subject: Re: Paging Unified Layer/AS46606 in re: NET-162-240-0-0-1 (162.240.0.0/15)


Why bother putting out the small fire? It's only a small fire. 


On Thu, Sep 4, 2025 at 9:40 AM Mike Hammett via NANOG < nanog () lists nanog org > wrote: 


and yet just being okay with background radiation only encourages the background radiation to no longer just lurk in 
the background. 



----- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 


----- Original Message ----- 
From: "nanog--- via NANOG" < nanog () lists nanog org > 
To: "North American Network Operators Group" < nanog () lists nanog org > 
Cc: nanog () immibis com 
Sent: Thursday, September 4, 2025 3:05:55 AM 
Subject: Re: Paging Unified Layer/AS46606 in re: NET-162-240-0-0-1 ( 162.240.0.0/15 ) 

Who even bothers to complain about internet background radiation? Unless you're seeing a high volume or you know you 
have weak passwords... Otherwise there are plenty of machines out there searching for default SSH passwords. Just 
ignore them if they don't affect you. 

Many people configure SSH to run on a non-default port number to cut down on background noise. Or you can filter IPs as 
already suggested. Or you can know that you're using a strong authentication method and you're patched for 
CVE-2024-6387/6409, and leave it be. 

Please note that reporting abuse for non-incidents is itself an attack. There was an attack last year where someone 
sent spoofed port 22 SYN packets from IP addresses of Tor relays, resulting in a flood of trigger-happy "security" 
companies writing abuse emails to hosts of Tor relays who weren't involved, risking taking down large parts of the Tor 
network. 



On 4 September 2025 03:16:17 CEST, Rich Kulawiec via NANOG < nanog () lists nanog org > wrote: 
> Who puts a quota on an abuse mailbox...and then allows that quote to 
> be reached? 
>
> > Date: Tue, 2 Sep 2025 12:38:24 +0000 
> >
> > Delivery has failed to these recipients or groups: 
> >
> > abuse () bluehost com <mailto: abuse () bluehost com > 
> > The recipient's mailbox is full and can't accept messages now. Please try r= 
> > esending your message later, or contact the recipient directly. 
>
> I've got nothin': my usual string of exasperated profanities has failed me. 
>
> Anyway, y'all have attackers using various VPS instances on your network 
> to conduct coordinated brute-force ssh attacks, and you should make that 
> stop yesterday. 
>
> Details? Logs? Yes, yes, I know, I did try to send them to you -- but 
> see the above for the explanation covering why you didn't receive them. 
>
> Also: for the love of dog, fix this nonsense. 
>
> ---rsk 
> _______________________________________________ 
> NANOG mailing list 
> https://lists.nanog.org/archives/list/nanog () lists nanog org/message/6CFCYFIP5FHUL4PBZQNOUV2SW6DNK44U/ 
_______________________________________________ 
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/A2ZFPUI7XEE4YHM7QJ433TWBRCLMYAYA/ 


_______________________________________________ 
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/ZDCAEF7Z72EHJC3QWNFHTAPTIZ76VF6O/ 

_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/RQS3GC62R2VMDBG74NUUNN3SQVBXMIYD/