Suspicious IP reporting

This IP is hitting devices on cellular networks for the past day or so.

I think this is the info to report it to the ISP. Any help or if everyone can report it, I would be a happy camper.;

I think it’s pretty poor form to ask people to report an IP for doing something they are not seeing themselves, and may not even be abuse. What does “hitting devices” mean? Pings? SNMP?

This sort of thing contributes to abuse reponses being poor; lots of noise, not much signal.

Others are seeing it as I provided the website that shows others are seeing it.

I think it is pretty poor form to be ignorant.

Congrats you have been banned from my gmail account straight to the deleted.

So what? I’ve scanned the internet more than 100’ times on all ports/protocols than you can imagine with zmap and many other shabby tools.

I agree with Tom that these absue reports are totally useless and create so much noise that it feels like crying wolf.

Network operator are trained to absorb and protect against that.

Are you aware of the 4D rules?





Unless that you are a real threat to a nation… good luck.

There is a new submarine link that connect America with Europe. It is said to be 250 Tbps.

Kill this link and I guess the industry will listen to you.

Good luck with your ip in China.

Jean St-Laurent

I do not know Tom personally, but I’ve been following his comments, hindsight and shared experience. Tom seems to be a bigger player than you on this mailing list.

Joe, you are only penalizing yourself by banning him. I would personally not ban him.


That is fine. I don’t understand why the ignorance. Its one flipping email and people can reply to me without adding the list. Is this really a necessary conversation? It has only blown up BECAUSE of Tom’s comments. That is great he is a big shot and contributes, that is great to hear.
I am not expereicncing the same type of onlist behavior.

Listen, I have devices on a cell network with only a few layers of security (of course there is a plan to increase the security on those devices but this is a complicated and highly regulated environment).
Someone contacted me off list telling me they beleive the IP is a command and control server.
Cell networks like Verizon has a process to report these IPs, now I am not educated in how the cellular network deal with that, that is where my “ignorance” if you would like to call it that, comes in.
I see no issue asking other network admins to report it and fail to understand why this particular issue is bad.
If there is a FEAR that everyone and their grandmother starts asking the onlist community to report IP addresses, I think that is an an unnecessary fear.

What has turned into “noise” that Tom feared so much has been his doing not mine.

This seems like a highly suspect request coming from a North American network operator…?

Do others see this online bully started by Tom? The leader has spoken so the minions follow :slight_smile:
This list sometimes LOL
I think if everyone gets off their high horse, the list communication would be less noisy for the list veterans.


The underlying premise here is, “pick your battles”. If you don’t want an IP address to access your device in anyway, setup a firewall and properly configure it to accept whitelisted traffic only, or just expose a VPN endpoint. The Internet is full of both good and bad actors that probe and scan anything and everything.

While some appreciate the notification here, others will find it annoying. We cannot report anything malicious about an IP address on the Internet, unless it does harm to us specifically, otherwise it is false reporting and does create more noise at the ISP, and waste more time getting to the underlying issue.


How do I setup a firewall when I am not a Verizon engineer?
There is a firewall via the antivirus and operating system but that’s it.
Do you not understand my issue? I thought that is the real problem with the online bullies in this thread.


It isn’t on Verizon to setup a firewall, especially if you have a direct public IP service. The device being attached directly to the Internet (no matter the transmission medium), must be able to protect itself. ISPs provide routers which function as a NAT/Firewall appliance, to provide a means of safety and convenience for them, but also charge you a rental fee.

Stick a Cradlepoint router or something in front of your device, if you want an external means of protection. Otherwise you’ll need to enable the Windows Firewall if it’s a Windows system, or setup iptables on Linux, ipfw/pf on *BSD, etc.


Thanks but like I said these devices are in moving vehicles ok?
I stated we have a plan but it is ways out.
FACT: we have a known malicious C&C
FACT: We know what networks it is hitting and the cellular network is the most vulnerable, imo.
FACT: this IP is against Verizon terms of service so the way to address it is to report it to them as they request.

I honestly got what I needed from this thread, thanks. And I thank the nonbullies that helped me off list.

While I agree that reporting something not observed just creates a lot of unnecessary work for the recipient in processing all of the unsubstantiated reports (that don’t match traffic logs, etc), that isn’t the point of my message. I would point out that most people would call such reports spam at the least. Another term for the same thing, brigading, rarely works out satisfactorily for anyone either.

Success with asking a service provider to take action is always going to be a crapshoot, but it will almost never be fast in any case.

If there is a C2 server known to be contacting a host you manage, the bigger problem to me would seem to be the compromised host, rather than the C2. It could be exfiltrating sensitive data to the attacker right now. An established attacker will have dozens or hundreds of C2s. Do you intend to pursue all of them individually?

If the organization isn’t prepared to start an appropriate incident response on a compromised host in a timely manner, perhaps they will learn from and correct that security posture weakness in the future.


Much like your banning of an email address is an ability you have with your provider (gmail), you should have the same abilities with your cellular provider for an IP address.
I would think (at a minimum) you would be able to negotiate such an action with them, perhaps it is time to re-negotiate that contract?
If your simply trying to report an offending IP for brute force stuff perhaps the tact you may find more helpful is to ask for a contact at xzy ISP on list, versus asking folks to do reporting for you. As well there are like 100s of lists to report this to outside of NANOG

As well, if I am reading this correctly, deployment of devices that have public facing IPs and do not have a means to protect themselves is concerning to say the least.
This is about as reckless as putting up a login page without a password and crying foul when something gains access that you didn’t expect. Again, I do not know all of the details of this so I may be way off base with that respect.

If your ability to prevent issues is due to lack of a firewall/control to your network, possibly asking for help in mitigating such threats would be better, as there are a lot of very well versed/clever folks that help out.

And just like deploying IoT devices in vehicles without proper security preparations will lead you to a C&C network … just saying the hammer swings both ways here and getting a IP reported isn’t going to do you any damn good at ALL.

Personally I’d rip those IoT vehicles off the market for a recall but I suspect we’ll be hearing of that in the not to distant future.

So in hindsight why don’t we just close down this thread here.

Sorry wasn’t meant directly aimed at you… unless you are the same person \?

Let’s assume that I submitted an abuse report on your behalf. I’m not going to do it on behalf of my company; I’m not seeing this issue. So I’d have to do it in a personal capacity.

Who do I report it to? Let’s say my ISP is Charter, and my cell provider is AT&T. Reporting to either one would not provide you any benefit, since you are seeing the suspect traffic to you via Verizon. Let’s assume I file the reports anyways. What do I say? I haven’t seen the traffic in question, so I have no idea what it is. I can’t provide any specifics in my abuse report that would be helpful. I’m certainly not going to just copypasta some information from abusedbip; I can’t speak to the accuracy of anything there.

Finally, I’m just another guy on the list, nobody special. I certainly don’t feel that there was any bullying involved on my part or others, but I won’t comment further; the intensity of your reaction would lead me to believe it would be unproductive.

Best of luck in addressing your issues.

Hi Joe & Joe,

I’m not sure which Joe is the original Joe anymore, but I like this reply better than the previous one.

It feels more informative and more useful to the community.

I just stumbled on this article.

Could it be that what the OP observed is link to a browser vulnerability started to be exploited recently?