[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Attacks from poneytelecom.eu

Depends on what "legitimate" means.

We have a decent amount of traffic to the network (like 2Gbps sustained in any afternoon). Its typically a mix of 
bittorrent, tor-relay traffic, ftp-transfers and of course the expected scanners, malware-hosts, ddos-bots and such.

For me Poney/Illiad/Online.net/Scaleway has always been a bulletproof hoster (or bulletproof transit even), the response 
to abuse has always been NIL. I know tons of my customers just blocks out their whole ip-ranges in their SIP-servers and 
email-machines to lessen the white-noise.

However - judging from the Online.net website it atleast seems that they are trying to up their game and look like 
something that would be attractive to a legitimate business to consider. On the other hand, looking at 
http://as12876.net/  it looks more like something that would rather fit as a place where i put the shady stuff, so not 
sure where on the map they fall these days.

> AS12876 is online.net... home of the â?¬2.99 physical server, perfect for all of your favorite illegitimate activity. Iâ??m curious how much traffic originates from that ASN that is actually legitimate... probably close to none.
> Sent from my iPhone
>> On Jan 3, 2018, at 1:35 AM, Troy Mursch <troy at wolvtech.com> wrote:
>> Dovid,
>> Back in September, I documented my poor experience with AS12876 here:
>> https://badpackets.net/ongoing-large-scale-sip-attack-
>> campaign-coming-from-online-sas-as12876/
>> Since then, their handling of abuse notifications (or lack thereof) has
>> largely remained the same. The volume of malicious traffic from their
>> network hasn't decreased either.
>> As you noted, others have reported similar issues with AS12876, including
>> my associate Dr. Neal Krawetz: https://twitter.com/h
>> ackerfactor/status/932593355648667649. I've also compiled a list of
>> complaints regarding AS12876 in this thread: https://twitter.com/ba
>> d_packets/status/937220987371732992
>> Thanks,
>> __
>> *Troy Mursch*
>> @bad_packets <https://twitter.com/bad_packets>
>>> On Tue, Jan 2, 2018 at 6:51 PM, Dovid Bender <dovid at telecurve.com> wrote:
>>> Hi All,
>>> Lately we have seen a lot of attacks from IPs where the PTR record ends in
>>> poneytelecom.eu to PBX systems. A quick search on twitter (
>>> https://twitter.com/hashtag/poneytelecom) shows multiple people
>>> complaining
>>> that they reported the IP's yet nothing happens. Has anyone had the
>>> pleasure of dealing with them and have you gotten anywhere? I wonder if the
>>> only option is public shaming.
>>> I would rather not ban their AS as it may hurt legit traffic but I am out
>>> of ideas at this point....
>>> TIA.
>>> Dovid