VOOZH about

URL: https://phabricator.wikimedia.org/T303055

⇱ ⚓ T303055 US Department of Homeland Security (DHS) IP blocks


Maniphest T303055

US Department of Homeland Security (DHS) IP blocks
Closed, ResolvedPublicSecurity

Description

I understand the whack-a-mole nature of blocking IP's but in this case it is good, actionable intelligence.

DHS is advising the immediate block of the following ip's in response to cyber attacks.

These IPs are attributed to a malicious cyber actor associated with Russia conducting reconnaissance/scanning/attacks within the US.

37.18.24.16
194.190.76.41
213.155.156.184
94.100.180.197
194.190.76.44
151.236.127.145
213.180.204.90

Details

Risk Rating
Medium
Author Affiliation
WMF Technology

Event Timeline

Comment Actions

Those IPs are now blocked at our borders (at the routers level).

A quick look at our netflow data sampled (1:1000) over the last 7 days don't show any hit from those IPs.

The sampling/logging is done before dropping the traffic so if there is enough traffic from them it should show up on this dashboard.

Please let me know when it's good to remove them, otherwise I'll ping you in a month.

Reedy renamed this task from US Depart of Homeland Security (DHS) IP blocks to US Depart of Homeland Security (DHS) IP blocks.Mar 5 2022, 2:02 PM
ayounsi subscribed.
Comment Actions

John, can this be reverted? If not when should I ping you next?

Reedy renamed this task from US Depart of Homeland Security (DHS) IP blocks to US Department of Homeland Security (DHS) IP blocks.Apr 6 2022, 7:02 PM
Comment Actions

@JBennett: Could you please answer the last comment? Thanks in advance!

Aklapper added a subscriber: Jcross.
Comment Actions

Removing inactive assignee. Wondering if @Jcross could answer T303055#7827678 how to proceed here.

Comment Actions

@Aklapper @ayounsi - Without knowing for sure, I'm going to guess the aforementioned IPs came from a CISA or FBI alert. For example, all of the IPs mentioned within the task description are documented within this FBI Flash update (which is oddly publicly-accessible, under politico.com). As all of our cyber response fell under the purview of John Bennett and David Sharpe, now both departed from the Security Team, we will likely need some time to re-assess requests like this and provide guidance to SRE. Hopefully we can provide an update soon.

Comment Actions

@ayounsi @Aklapper - after conferring with @Jcross and @JBennett, the Security-Team would rate it low risk to unblock the IPs within the task description from being blocked at our edges.

sbassett triaged this task as Medium priority.Jul 12 2022, 8:25 PM
sbassett changed Risk Rating from N/A to Medium.
Comment Actions

For example, all of the IPs mentioned within the task description are documented within this FBI Flash update (which is oddly publicly-accessible, under politico.com).

If the IPs are already publicly known, could we make this task public? (And thanks to you and Andre for following up on this)

Comment Actions

If the IPs are already publicly known, could we make this task public? (And thanks to you and Andre for following up on this)

Personally I think that would be fine, but I want to double-check with WMF-Legal first.

Comment Actions

Reviewed the ticket. Given the public nature of the info, we could make it public if you all deem it safe from a technical standpoint to do so.

Comment Actions

Thanks! Taking the task to remove the blocks.

sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 15 2022, 2:38 PM
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.
Comment Actions

Making public per @Jrogers-WMF's assessment.

Comment Actions

Thank you all, network block removed.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits