Abuse reports: IPv6 ENTRO scanning alert

Comments

• cmeerw

  June 2

  @Brueggus said: I'm honestly surprised how easy it is to get a provider to shut down a server just by sending something like this:

  Which provider acts on that? Have you asked that provider to explain the abuse report (if they act on it, they must have understood it).

  Never heard of an ENTRO protocol either.

  Thanked by (1)Brueggus
• MallocVoidstar

  June 2

  CETNET2 is probably a typo of CERNET2

  Thanked by (1)Brueggus
• Neoon OGContent WriterSenpai

  June 2 edited June 2

  https://www.nodeseek.com/post-352255-1

  The scan amount is the same, haha.
  Looks like, somebody is checking, which providers accepts bullshit abuse emails.

  @Brueggus what providers did accept that as valid abuse?

  Thanked by (3)Wonder_Woman satorik Porlam

  Free NAT KVM | Free NAT LXC
• Brueggus OG

  June 2

  @cmeerw said: Have you asked that provider to explain the abuse report (if they act on it, they must have understood it).

  No, I didn't bother. It's obvious to me that they don't care about the content and just forward the messages.

  @Neoon said:
  @Brueggus what providers did accept that as valid abuse?

  Until now...

  • HE.net - They were fine with it after I confirmed that I have checked the server for malware.
  • Cogent / LittleCreekHost - They asked me to switch to a different IPv6 address from my subnet
  • xervers.pt - Service got suspended immediately and was reactivated 30 minutes after I told them that I have no idea what this is about.

  I am pretty sure that I'll receive more.

  Thanked by (4)skhron Wonder_Woman mfs someTom

  dnscry.pt - Public DNSCrypt resolvers hosted by LowEnd providers • Need a free NAT LXC? -> https://microlxc.net/
• skhron Hosting Provider

  June 2 edited June 2

  @Brueggus said:
  Over the last days, I have received a number of abuse reports for "network scanning" for services related to my dnscry.pt project.

  I'm honestly surprised how easy it is to get a provider to shut down a server just by sending something like this:

  Network scanning alert notification

  Target address：2a0e:bc00::185:xxxx:xxxx:xxxx-->CETNET2 IPv6 Networks
  Protocol type：ENTRO
  Number of scans：1,612
  Recording time：2025-05-29 00:51:47

  Please check the security configuration of related network devices in time.

  This is an automatic email. Please contact [email protected] or [email protected] if you have any questions.
  Network security team Rein240c

  I have no idea what this is about and couldn't find any useful information. I tried to contact the email addresses in the report without success.

  Has anyone received similar reports and knows what this is about? Does anyone know what CETNET2 or the ENTRO protocol is?

  I received that too and asked reporter for more details, they didn't respond since Friday, May 30

  Original complaint below (sent from [email protected]):

  Network scanning alert notification

  Target address：2a09:b280:fe01:35::a-->CETNET2 IPv6 Networks
  Protocol type：ENTRO
  Number of scans：1,612
  Recording time：2025-05-30 07:45:24

  Please check the security configuration of related network devices in time.

  This is an automatic email. Please contact [email protected] or [email protected] if you have any questions.
  Network security team Rein240c

  Thanked by (2)Brueggus Wonder_Woman

  Check our KVM VPS plans in 🇵🇱 Warsaw, Poland and 🇸🇪 Stockholm, Sweden
• Brueggus OG

  June 2

  Could this be just another weird university "research" project? It all doesn't make any sense to me.

  Thanked by (1)skhron

  dnscry.pt - Public DNSCrypt resolvers hosted by LowEnd providers • Need a free NAT LXC? -> https://microlxc.net/
• Neoon OGContent WriterSenpai

  June 2

  @Brueggus said:
  Could this be just another weird university "research" project? It all doesn't make any sense to me.

  Yes, send fake abuse, check if the IP stops pinging.
  If yes, we write that down.

  Thanked by (6)Brueggus marcopolio Wonder_Woman satorik mfs taizi

  Free NAT KVM | Free NAT LXC
• Otus9051

  June 3

  @Brueggus said:
  Could this be just another weird university "research" project? It all doesn't make any sense to me.

  Research Projects are wild, here's one I got a real while back from TU Dresden:

  Dear network operator(s),
  
  Within the scope of a scientific measurement study, we are exploring the IPv6 network topology.
  Our findings include a wide distribution of routing loops, and a critical router bug that leads to the amplification of ICMP messages.
  
  In your IPv6 network, we have identified at least one routing loop.
  We would like to get a better understanding of these devices and are trying to fix this unwanted behavior.
  
  We mailed you because you are registered as a contact for the following ASN(s):
  199693
  
  We found 1 IPv6 addresses within your ASN(s) having routing loops.
  Here is a sample of affected addresses (we can provide full access to all data):
  2a12:dd47:da00:2000::
  
  We would be grateful for any feedback. Can you confirm our observations? 
  
  
  In case of questions, please do not hesitate to contact us.
  
  Behind this study:
          Maynard Koch (TU Dresden)
          Raphael Hiesgen (HAW Hamburg)
          Marcin Nawrocki (NETSCOUT)
          Prof. Dr. Thomas C. Schmidt (HAW Hamburg)
          Prof. Dr. Matthias Wählisch (TU Dresden)
  
  Kind regards,
  Maynard Koch
  
  --
  Maynard Koch
  TU Dresden, Chair of Distributed and Networked Systems
  https://tu-dresden.de/cs/netd/about/team/koch
  
  

  At least these are still helpful, no idea what the hell happened with the abuse reports.

  youtube.com/watch?v=k1BneeJTDcU