Was My ISP on Phishing Expedition?



  • So, the other day my Internet was down and a public IP address was not available from my ISP. The next day the Internet was still down; however, I noticed I received a private IP address from my ISP (172.16.246.74) that raised a red flag. My configured router's address is 10.0.8.1, yet my ISP was attempting to connecting to 192.168.88.1 the router's default IP address. So I wondered whether this default address available even when the router has a custom configuration? Below is what my IDS/IPS showed and I wondered whether my ISP was on a phishing expedition with a 10.8.8.1 address as well as whether my router gave out its name Mikrotik why they tried the default address. I use OpenDNS, not my ISP DSN server.

    Screen Shot 2019-10-03 at 12.27.36 PM.png



  • @NollipfSense said in Was My ISP on Phishing Expedition?:

    yet my ISP was attempting to connecting to 192.168.88.1 the router's default IP address.

    ?
    How can the ISP (want to) connect to a router's LAN address ?
    This upstream router, the one above pfSense, has a firewall , right ?

    The IDS running on pfSense sees suspected DNS packets ... why ?
    Do you let 'unknown' DNS packets coming in ? Are you hosting a master or salve DNS server ?

    My pfSense WAN interface uses the default rule : none. So, nothing comes in - except answers from stuff I asked for. I guess ... I'm not even "IDS", I trust my LAN devices.



  • @Gertjan said in Was My ISP on Phishing Expedition?:

    How can the ISP (want to) connect to a router's LAN address ?
    This upstream router, the one above pfSense, has a firewall , right ?

    Thank you Gertjan for responding! Yes, yes...it wasn't going anywhere. The only upstream above the pfSense is the cable modem...so, it wasn't going anywhere pass the NIC.

    @Gertjan said in Was My ISP on Phishing Expedition?:

    The IDS running on pfSense sees suspected DNS packets ... why ?
    Do you let 'unknown' DNS packets coming in ? Are you hosting a master or salve DNS server ?

    Because the NIC with IDS/IPS would see the packet before the firewall would. No, that's strictly forbidden. No, no master nor slave...just the edge pfSense does DNS.

    @Gertjan said in Was My ISP on Phishing Expedition?:

    My pfSense WAN interface uses the default rule : none. So, nothing comes in - except answers from stuff I asked for. I guess ... I'm not even "IDS", I trust my LAN devices.

    Same here...have highly trusted LAN govern by a new Mikrotik RB450Gx4; however, its default LAN is 192.168.88.1...but that's not its current custom IP address configuration that is 10.0.8.1. That's why I am curious why the connection attempt to that default address or to 10.8.8.1...none exist on my network. However, my ISP knew that I had the earlier Mikrotik RB450G when that was my edge router.

    What I am suspecting is my ISP was wanting to make it look as if I have Internet by issuing a private address to make the cable modem appear to be working by the link light blinking. I came to this conclusion because shortly after the intrusion event attempt, I received a call from the ISP that they were coming out to my home to test. It seems that they wanted to extract additional fee(s) for service.

    Of course, I am highly pissed...these are things they have done to the common uninformed person, and it's deceitful. Does my suspicion reasonable...makes sense?


Log in to reply