Strange Issue with 1.1.1.1

mloiterman

Somehow pfBlocker thinks that 1.1.1.1 has been added to the ISC_1000_30 IPV4 list.

When I ping 1.1.1.1, or try to load the page it's blocked by that feed as shown in pfBlocker logs.

Turning off that feed, fixes it, and then I can access that ip.

But when I load the link:
https://isc.sans.edu/api/sources/attacks/1000/30?text

and search for 1.1.1.1, it isn't there.

I've removed the PRI IPv4 blocking for now until I figure this out.

Anyone have any idea what's going on?

johnpoz

Looks like its there to me

  [367] => Array
        (
            [ip] => 001.001.001.001
            [attacks] => 853
            [count] => 18671
            [firstseen] => 2020-08-17
            [lastseen] => 2020-08-22

mloiterman

Ahhh...it is if you're looking for 001.001.001.01 and not 1.1.1.1.

Any idea why would that have been added to that list?

johnpoz

Because some idiot reported it, looks like 18671 times ;)

Its sure and the F is not attacking anyone..

Look here
https://isc.sans.edu/ipdetails.html?ip=1.1.1.1&18671

Freaking idiots! ;) hehehehe

Example

2020-08-24	09:52:56	1.1.1.1 	53 	- N/A -	59077 	17	
2020-08-24	09:52:56	1.1.1.1 	53 	- N/A -	60108 	17	
2020-08-24	09:52:54	1.1.1.1 	53 	- N/A -	55156 	17	
2020-08-24	09:52:54	1.1.1.1 	53 	- N/A -	52877 	17	
2020-08-24	09:52:53	1.1.1.1 	53 	- N/A -	58921 	17	
2020-08-24	09:52:53	1.1.1.1 	53 	- N/A -	40097 	17	
2020-08-24	09:52:52	1.1.1.1 	53 	- N/A -	55222 	17	
2020-08-24	09:52:52	1.1.1.1 	53 	- N/A -	60327 	17

You mean there was a packet from 1.1.1.1 from source 53 to some random UDP on your end... OMG you asked for dns, and you got a response ;) They prob flushed their states, so now the answer gets blocked and logged.. So they report it up as an "attack"

That is the problem with these automated reporting things.. Going to be false positives for sure!!!

I personally don't even log UDP traffic, other than a few common ports that are known things.. because there is just too much noise on UDP.. I only log tcp syns hitting my wan.. Because those can sometimes be interesting to see what bots are sweeping around.. Like when that modem thing was out a few years ago.. Saw lots of hits on that port, etc.. But random UDP - its just noise no point in even logging it.

andy_vdg

Got added to CINS army as well. I added all IPs to the suppression list

1.1.1.1/32
1.0.0.1/32
1.1.1.2/32
1.0.0.2/32
1.1.1.3/32
1.0.0.3/32

Forced Reload and got this:

CINS_army_v4 15000 15000 19434  
Suppression ET_Block_v4: 1.1.1.0/24 (Excluding: 1.1.1.1/32) 
Suppression ET_Block_v4: 1.1.1.0/24 (Excluding: 1.1.1.2/32) 
Suppression ET_Block_v4: 1.1.1.0/24 (Excluding: 1.1.1.3/32)

Everything working again. Until all the lists are clean just add the IPs to your suppression list.