SSH bruteforce attempts from Verizon to "AS17452 Bitstop Inc"

Hi,

I am a customer of Verizon Fios in NYC and received a very interesting abuse complaint today from abuse@verizon.com.

I got SSH bruteforce attempts between my IP address and this IPv4 prefix: 202.91.160.0/20

This is hosted on a network called "AS17452 Bitstop Inc".

My connection runs Tor relays, but not exit relays. I doubt it's Tor since when I had Google Fiber or CenturyLink even when running Tor relays I never got those complaints. I use a MikroTik core router so maybe it got malware, although I recently updated it from 7.15.3 to 7.16.1. I decided to filter the prefix.

Maybe a Windows PC on our network is infected. Maybe it's my Rocky Linux servers. Should I probably get a Supermicro/Deciso box and run an OPNsense firewall instead? But I never got complaints from Frontier or Optimum when I put MikroTik routers on both ISPs too, that for accounts not in my name. Maybe it's a false positive and just TCP forgery pretending to me be (I hope so).

Just letting you know.

-Neel

=== REDACTED COMPLAINT BELOW ===

Dear Verizon Online Customer,

On 10-30-2024, your account was reported to have been used in an attempt to gain unauthorized access to another system, or to transmit malicious traffic to another Internet user.

It is possible that a device connected to your network may have been infected by a virus or a botnet that is causing this action.

Report and/or Logs:

To assist you in understanding the situation, we have provided the relevant log data below, with timestamps adjusted to our GMT +8 timezone:

DateTime Action AttackClass SourceIP Srcport Protocol DestinationIP DestPort
0 30-Oct-2024 13:37:21 BLOCKED attempted-recon 108.30.XXX.XXX 0 202.91.162.24 22
1 30-Oct-2024 13:49:38 BLOCKED attempted-recon 108.30.XXX.XXX 0 202.91.162.24 22
2 30-Oct-2024 14:00:01 BLOCKED attempted-recon 108.30.XXX.XXX 0 202.91.162.24 22
3 30-Oct-2024 14:10:12 BLOCKED attempted-recon 108.30.XXX.XXX 0 202.91.162.24 22
4 30-Oct-2024 15:17:15 DENIED 108.30.XXX.XXX 32769 TCP 202.91.162.17 22
5 30-Oct-2024 15:18:29 BLOCKED attempted-recon 108.30.XXX.XXX 0 202.91.162.39 22
6 30-Oct-2024 15:23:08 DENIED 108.30.XXX.XXX 54688 TCP 202.91.163.179 22
7 30-Oct-2024 15:30:22 BLOCKED attempted-recon 108.30.XXX.XXX 0 202.91.162.47 22
8 30-Oct-2024 15:47:32 BLOCKED attempted-recon 108.30.XXX.XXX 0 202.91.162.24 22
9 30-Oct-2024 15:58:03 DENIED 108.30.XXX.XXX 50405 TCP 202.91.163.143 22

Please immediately ensure your anti-virus and anti-malware software is properly updated. Please perform full system scans on your device(s). [Including - computers, tablets, cellular devices, network attached storage, security camera recorders (DVR or NVR), and IOT devices, where possible.]

Additional information and removal guidance of detected malware may be found on the website of your scanner(s) manufacturer.

It is difficult to verify the presence of an exact virus or malware infecting a device without a full system scan with up-to-date software.

Installing the most recent firmware and software updates can also assist in securing your device(s). Please follow the device manufactures processes for any updates.

If you are unable to take immediate action, it would be advisable to remove the device(s), which may be infected, from your network and the Internet connection until it has been properly cleaned. This may be easily done by unplugging the network cable that connects the device to the router. For wireless devices removing power from the device will keep it off it the network.

Note: this information is being provided as a courtesy; you are solely responsible for any changes you make to your device(s) or network.

Verizon Policy:

If you do not take steps to resolve this issue, we may be forced to take further action. Actions could include the suspension or termination of your service until the issue is resolved, in order to ensure the safety of our network, and the safety of other Internet users.

Please carefully review these agreements, which can be viewed at:

Any future violation will result in further action being taken, up to,
and including, the termination of your service.

Sincerely,

Verizon Global IP Abuse

Abuse@verizon.com

Hi Neel,

this might be an interesting read for you: https://delroth.net/posts/spoofed-mass-scan-abuse/

Scott

Don't you have some flow data you can analyze for those time frames to see what on your net it transmitting ?

If not I'd suggest you set something up and see all outbound traffic to port 22.

Good to hear it’s not just me. It seems spoofed TCP/IP headers are used on Tor relay IP addresses, hoping to get away with it as “tor traffic” even when they’re non-exit relays. I mean running an exit relay from home is a can of worms if you don’t have a static IP block and supportive ISP.

My brother has a Frontier account in the suburbs of NYC and I just hope he doesn’t get the same complaint. But until Verizon finalizes the sale Frontier is dependent on Lumen/Cogent for transit which hopefully is more secure than Verizon/UUnet.

-Neel