Mailing List Archive

I don't know what you tried in APNIC, my experience is that they are usually responding very quickly.

Have you tried the abuse contacts of the ISP?

If they fail, have you tried to escalate to escalation-abuse@apnic.net, following our abuse-mailbox proposal (https://www.apnic.net/wp-content/uploads/2018/08/prop-125-v001.txt), which was adopted long time ago?

You could also try the APNIC Talk mailing list.

Regards,
Jordi
@jordipalet



?El 11/8/20 15:10, "NANOG en nombre de Alexander Maassen" <nanog-bounces+jordi.palet=consulintel.es@nanog.org en nombre de outsider@scarynet.org> escribió:

Hello folks,

Before you shoot me with 'wrong mailing list' replies, believe me, I
tried, THNOG is dead, APNIC ain't responding either and the ISP's over
there don't seem to care much. And I've been looking at this situation for
over 2 years now since first incident. I simply hope that with the
contacts you folks have due to your professions to be able to help.

So, I came across this botnet which decided to pick my IRC network as
control center, and I have been digging into them. It turns out that in
Thailand, people can easily get cloned modems in order to internet for
'free', it simply boils down to mac cloning, so let me spare you the
details. The problem is that these modems also carry a digital STD in the
form of additional botnet code, allowing the controllers to do, well,
botnet stuff.

I disabled their ability to control by glining everything on join to the
control channel, and since I am maintainer of DroneBL, add them to the
blacklist. Doing that for 2+ years now. The amount of removal requests
because people no longer are able to play on cncnet is amazing.

My question here kinda is, how to permanently get rid of this evil in an
effective way, and who to contact? (yes, I tried to get through to NOC's
of the affected providers), or could perhaps someone be so nice to use one
of their contacts in Thailand to speed things up?

Kind regards,

Alexander Maassen
Maintainer DroneBL




**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

On Tue, Aug 11, 2020 at 9:31 AM JORDI PALET MARTINEZ via NANOG
<nanog@nanog.org> wrote:
>
> I don't know what you tried in APNIC, my experience is that they are usually responding very quickly.
>
> Have you tried the abuse contacts of the ISP?
>

For the Thai ISP space you might also get some traction just talking
to the thai cert org.
h ttps://www.thaicert.or.th/about-en.html

perhaps even this path:
https://www.thaicert.or.th/report-en.html

> If they fail, have you tried to escalate to escalation-abuse@apnic.net, following our abuse-mailbox proposal (https://www.apnic.net/wp-content/uploads/2018/08/prop-125-v001.txt), which was adopted long time ago?
>
> You could also try the APNIC Talk mailing list.
>
> Regards,
> Jordi
> @jordipalet
>
>
>
> ?El 11/8/20 15:10, "NANOG en nombre de Alexander Maassen" <nanog-bounces+jordi.palet=consulintel.es@nanog.org en nombre de outsider@scarynet.org> escribió:
>
> Hello folks,
>
> Before you shoot me with 'wrong mailing list' replies, believe me, I
> tried, THNOG is dead, APNIC ain't responding either and the ISP's over
> there don't seem to care much. And I've been looking at this situation for
> over 2 years now since first incident. I simply hope that with the
> contacts you folks have due to your professions to be able to help.
>
> So, I came across this botnet which decided to pick my IRC network as
> control center, and I have been digging into them. It turns out that in
> Thailand, people can easily get cloned modems in order to internet for
> 'free', it simply boils down to mac cloning, so let me spare you the
> details. The problem is that these modems also carry a digital STD in the
> form of additional botnet code, allowing the controllers to do, well,
> botnet stuff.
>
> I disabled their ability to control by glining everything on join to the
> control channel, and since I am maintainer of DroneBL, add them to the
> blacklist. Doing that for 2+ years now. The amount of removal requests
> because people no longer are able to play on cncnet is amazing.
>
> My question here kinda is, how to permanently get rid of this evil in an
> effective way, and who to contact? (yes, I tried to get through to NOC's
> of the affected providers), or could perhaps someone be so nice to use one
> of their contacts in Thailand to speed things up?
>
> Kind regards,
>
> Alexander Maassen
> Maintainer DroneBL
>
>
>
>
> **********************************************
> IPv4 is over
> Are you ready for the new Internet ?
> http://www.theipv6company.com
> The IPv6 Company
>
> This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
>
>
>

Alexander Maassen wrote:

> It turns out that in
> Thailand, people can easily get cloned modems in order to internet for
> 'free',

I think you failed to explain that, in Thailand, wiretapping is
commonly performed by people illegally having free Internet access,
against which MAC address is used, in vain, to identify true users.

> it simply boils down to mac cloning,

Of course.

> My question here kinda is, how to permanently get rid of this evil in an
> effective way,

Let access ISPs use TDR (Time Domain Reflectometry) to detect
wiretapping, which requires periodic monitoring, which costs.

Or, though less elegantly, password protection by something like
PPPoE may work, which requires initial cost to change equipment.

Anyway, preventing free riding should increase revenue of the ISPs.

> and who to contact?

ISPs who want to protect paying customers (maybe, partly from your
blacklisting).

> (yes, I tried to get through to NOC's
> of the affected providers),

ISPs can do nothing, unless they know how to prevent free riding by
wiretapping without harming paying customers.

Masataka Ohta