Strange Issue with 1.1.1.1



  • Somehow pfBlocker thinks that 1.1.1.1 has been added to the ISC_1000_30 IPV4 list.

    When I ping 1.1.1.1, or try to load the page it's blocked by that feed as shown in pfBlocker logs.

    Turning off that feed, fixes it, and then I can access that ip.

    But when I load the link:
    https://isc.sans.edu/api/sources/attacks/1000/30?text

    and search for 1.1.1.1, it isn't there.

    I've removed the PRI IPv4 blocking for now until I figure this out.

    Anyone have any idea what's going on?


  • LAYER 8 Global Moderator

    Looks like its there to me

      [367] => Array
            (
                [ip] => 001.001.001.001
                [attacks] => 853
                [count] => 18671
                [firstseen] => 2020-08-17
                [lastseen] => 2020-08-22
    


  • Ahhh...it is if you're looking for 001.001.001.01 and not 1.1.1.1.

    Any idea why would that have been added to that list?


  • LAYER 8 Global Moderator

    Because some idiot reported it, looks like 18671 times ;)

    Its sure and the F is not attacking anyone..

    Look here
    https://isc.sans.edu/ipdetails.html?ip=1.1.1.1&18671

    Freaking idiots! ;) hehehehe

    Example

    2020-08-24	09:52:56	1.1.1.1 	53 	- N/A -	59077 	17	
    2020-08-24	09:52:56	1.1.1.1 	53 	- N/A -	60108 	17	
    2020-08-24	09:52:54	1.1.1.1 	53 	- N/A -	55156 	17	
    2020-08-24	09:52:54	1.1.1.1 	53 	- N/A -	52877 	17	
    2020-08-24	09:52:53	1.1.1.1 	53 	- N/A -	58921 	17	
    2020-08-24	09:52:53	1.1.1.1 	53 	- N/A -	40097 	17	
    2020-08-24	09:52:52	1.1.1.1 	53 	- N/A -	55222 	17	
    2020-08-24	09:52:52	1.1.1.1 	53 	- N/A -	60327 	17
    

    You mean there was a packet from 1.1.1.1 from source 53 to some random UDP on your end... OMG you asked for dns, and you got a response ;) They prob flushed their states, so now the answer gets blocked and logged.. So they report it up as an "attack"

    That is the problem with these automated reporting things.. Going to be false positives for sure!!!

    I personally don't even log UDP traffic, other than a few common ports that are known things.. because there is just too much noise on UDP.. I only log tcp syns hitting my wan.. Because those can sometimes be interesting to see what bots are sweeping around.. Like when that modem thing was out a few years ago.. Saw lots of hits on that port, etc.. But random UDP - its just noise no point in even logging it.



  • Got added to CINS army as well. I added all IPs to the suppression list

    1.1.1.1/32
    1.0.0.1/32
    1.1.1.2/32
    1.0.0.2/32
    1.1.1.3/32
    1.0.0.3/32
    

    Forced Reload and got this:

    CINS_army_v4 15000 15000 19434  
    Suppression ET_Block_v4: 1.1.1.0/24 (Excluding: 1.1.1.1/32) 
    Suppression ET_Block_v4: 1.1.1.0/24 (Excluding: 1.1.1.2/32) 
    Suppression ET_Block_v4: 1.1.1.0/24 (Excluding: 1.1.1.3/32)
    

    Everything working again. Until all the lists are clean just add the IPs to your suppression list.


Log in to reply