Description
I understand the whack-a-mole nature of blocking IP's but in this case it is good, actionable intelligence.
DHS is advising the immediate block of the following ip's in response to cyber attacks.
These IPs are attributed to a malicious cyber actor associated with Russia conducting reconnaissance/scanning/attacks within the US.
37.18.24.16
194.190.76.41
213.155.156.184
94.100.180.197
194.190.76.44
151.236.127.145
213.180.204.90
Details
- Risk Rating
- Medium
- Author Affiliation
- WMF Technology
Event Timeline
Those IPs are now blocked at our borders (at the routers level).
A quick look at our netflow data sampled (1:1000) over the last 7 days don't show any hit from those IPs.
The sampling/logging is done before dropping the traffic so if there is enough traffic from them it should show up on this dashboard.
Please let me know when it's good to remove them, otherwise I'll ping you in a month.
@JBennett: Could you please answer the last comment? Thanks in advance!
Removing inactive assignee. Wondering if @Jcross could answer T303055#7827678 how to proceed here.
@Aklapper @ayounsi - Without knowing for sure, I'm going to guess the aforementioned IPs came from a CISA or FBI alert. For example, all of the IPs mentioned within the task description are documented within this FBI Flash update (which is oddly publicly-accessible, under politico.com). As all of our cyber response fell under the purview of John Bennett and David Sharpe, now both departed from the Security Team, we will likely need some time to re-assess requests like this and provide guidance to SRE. Hopefully we can provide an update soon.
@ayounsi @Aklapper - after conferring with @Jcross and @JBennett, the Security-Team would rate it low risk to unblock the IPs within the task description from being blocked at our edges.
In T303055#8017076, @sbassett wrote:For example, all of the IPs mentioned within the task description are documented within this FBI Flash update (which is oddly publicly-accessible, under politico.com).
If the IPs are already publicly known, could we make this task public? (And thanks to you and Andre for following up on this)
In T303055#8073913, @Legoktm wrote:If the IPs are already publicly known, could we make this task public? (And thanks to you and Andre for following up on this)
Personally I think that would be fine, but I want to double-check with WMF-Legal first.
Reviewed the ticket. Given the public nature of the info, we could make it public if you all deem it safe from a technical standpoint to do so.
Thanks! Taking the task to remove the blocks.
Making public per @Jrogers-WMF's assessment.
Thank you all, network block removed.