Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Was My ISP on Phishing Expedition?

    Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
    3 Posts 2 Posters 594 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • NollipfSenseN
      NollipfSense
      last edited by

      So, the other day my Internet was down and a public IP address was not available from my ISP. The next day the Internet was still down; however, I noticed I received a private IP address from my ISP (172.16.246.74) that raised a red flag. My configured router's address is 10.0.8.1, yet my ISP was attempting to connecting to 192.168.88.1 the router's default IP address. So I wondered whether this default address available even when the router has a custom configuration? Below is what my IDS/IPS showed and I wondered whether my ISP was on a phishing expedition with a 10.8.8.1 address as well as whether my router gave out its name Mikrotik why they tried the default address. I use OpenDNS, not my ISP DSN server.

      Screen Shot 2019-10-03 at 12.27.36 PM.png

      pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
      pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @NollipfSense
        last edited by

        @NollipfSense said in Was My ISP on Phishing Expedition?:

        yet my ISP was attempting to connecting to 192.168.88.1 the router's default IP address.

        ?
        How can the ISP (want to) connect to a router's LAN address ?
        This upstream router, the one above pfSense, has a firewall , right ?

        The IDS running on pfSense sees suspected DNS packets ... why ?
        Do you let 'unknown' DNS packets coming in ? Are you hosting a master or salve DNS server ?

        My pfSense WAN interface uses the default rule : none. So, nothing comes in - except answers from stuff I asked for. I guess ... I'm not even "IDS", I trust my LAN devices.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        NollipfSenseN 1 Reply Last reply Reply Quote 0
        • NollipfSenseN
          NollipfSense @Gertjan
          last edited by NollipfSense

          @Gertjan said in Was My ISP on Phishing Expedition?:

          How can the ISP (want to) connect to a router's LAN address ?
          This upstream router, the one above pfSense, has a firewall , right ?

          Thank you Gertjan for responding! Yes, yes...it wasn't going anywhere. The only upstream above the pfSense is the cable modem...so, it wasn't going anywhere pass the NIC.

          @Gertjan said in Was My ISP on Phishing Expedition?:

          The IDS running on pfSense sees suspected DNS packets ... why ?
          Do you let 'unknown' DNS packets coming in ? Are you hosting a master or salve DNS server ?

          Because the NIC with IDS/IPS would see the packet before the firewall would. No, that's strictly forbidden. No, no master nor slave...just the edge pfSense does DNS.

          @Gertjan said in Was My ISP on Phishing Expedition?:

          My pfSense WAN interface uses the default rule : none. So, nothing comes in - except answers from stuff I asked for. I guess ... I'm not even "IDS", I trust my LAN devices.

          Same here...have highly trusted LAN govern by a new Mikrotik RB450Gx4; however, its default LAN is 192.168.88.1...but that's not its current custom IP address configuration that is 10.0.8.1. That's why I am curious why the connection attempt to that default address or to 10.8.8.1...none exist on my network. However, my ISP knew that I had the earlier Mikrotik RB450G when that was my edge router.

          What I am suspecting is my ISP was wanting to make it look as if I have Internet by issuing a private address to make the cable modem appear to be working by the link light blinking. I came to this conclusion because shortly after the intrusion event attempt, I received a call from the ISP that they were coming out to my home to test. It seems that they wanted to extract additional fee(s) for service.

          Of course, I am highly pissed...these are things they have done to the common uninformed person, and it's deceitful. Does my suspicion reasonable...makes sense?

          pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
          pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.