Compromized modems in Thai IP Space

Mailman List Mirror (Read Only)
1

Hello folks,

Before you shoot me with 'wrong mailing list' replies, believe me, I
tried, THNOG is dead, APNIC ain't responding either and the ISP's over
there don't seem to care much. And I've been looking at this situation for
over 2 years now since first incident. I simply hope that with the
contacts you folks have due to your professions to be able to help.

So, I came across this botnet which decided to pick my IRC network as
control center, and I have been digging into them. It turns out that in
Thailand, people can easily get cloned modems in order to internet for
'free', it simply boils down to mac cloning, so let me spare you the
details. The problem is that these modems also carry a digital STD in the
form of additional botnet code, allowing the controllers to do, well,
botnet stuff.

I disabled their ability to control by glining everything on join to the
control channel, and since I am maintainer of DroneBL, add them to the
blacklist. Doing that for 2+ years now. The amount of removal requests
because people no longer are able to play on cncnet is amazing.

My question here kinda is, how to permanently get rid of this evil in an
effective way, and who to contact? (yes, I tried to get through to NOC's
of the affected providers), or could perhaps someone be so nice to use one
of their contacts in Thailand to speed things up?

Kind regards,

Alexander Maassen
Maintainer DroneBL

2

I don't know what you tried in APNIC, my experience is that they are usually responding very quickly.

Have you tried the abuse contacts of the ISP?

If they fail, have you tried to escalate to escalation-abuse@apnic.net, following our abuse-mailbox proposal (https://www.apnic.net/wp-content/uploads/2018/08/prop-125-v001.txt), which was adopted long time ago?

You could also try the APNIC Talk mailing list.

Regards,
Jordi
@jordipalet

El 11/8/20 15:10, "NANOG en nombre de Alexander Maassen" <nanog-bounces+jordi.palet=consulintel.es@nanog.org en nombre de outsider@scarynet.org> escribió:

    Hello folks,

    Before you shoot me with 'wrong mailing list' replies, believe me, I
    tried, THNOG is dead, APNIC ain't responding either and the ISP's over
    there don't seem to care much. And I've been looking at this situation for
    over 2 years now since first incident. I simply hope that with the
    contacts you folks have due to your professions to be able to help.

    So, I came across this botnet which decided to pick my IRC network as
    control center, and I have been digging into them. It turns out that in
    Thailand, people can easily get cloned modems in order to internet for
    'free', it simply boils down to mac cloning, so let me spare you the
    details. The problem is that these modems also carry a digital STD in the
    form of additional botnet code, allowing the controllers to do, well,
    botnet stuff.

    I disabled their ability to control by glining everything on join to the
    control channel, and since I am maintainer of DroneBL, add them to the
    blacklist. Doing that for 2+ years now. The amount of removal requests
    because people no longer are able to play on cncnet is amazing.

    My question here kinda is, how to permanently get rid of this evil in an
    effective way, and who to contact? (yes, I tried to get through to NOC's
    of the affected providers), or could perhaps someone be so nice to use one
    of their contacts in Thailand to speed things up?

    Kind regards,

    Alexander Maassen
    Maintainer DroneBL

3

I don't know what you tried in APNIC, my experience is that they are usually responding very quickly.

Have you tried the abuse contacts of the ISP?

For the Thai ISP space you might also get some traction just talking
to the thai cert org.
h ttps://www.thaicert.or.th/about-en.html

perhaps even this path:
  https://www.thaicert.or.th/report-en.html

4

Alexander Maassen wrote:

It turns out that in
Thailand, people can easily get cloned modems in order to internet for
'free',

I think you failed to explain that, in Thailand, wiretapping is
commonly performed by people illegally having free Internet access,
against which MAC address is used, in vain, to identify true users.

it simply boils down to mac cloning,

Of course.

My question here kinda is, how to permanently get rid of this evil in an
effective way,

Let access ISPs use TDR (Time Domain Reflectometry) to detect
wiretapping, which requires periodic monitoring, which costs.

Or, though less elegantly, password protection by something like
PPPoE may work, which requires initial cost to change equipment.

Anyway, preventing free riding should increase revenue of the ISPs.

and who to contact?

ISPs who want to protect paying customers (maybe, partly from your
blacklisting).

(yes, I tried to get through to NOC's
of the affected providers),

ISPs can do nothing, unless they know how to prevent free riding by
wiretapping without harming paying customers.

            Masataka Ohta