My network has been bloacked

[ermilsonsilva]

My network was blocked on its servers, address 131.221.84.0/22 and
143.202.40.0/22.

I have been informed that the security problems in our network have been
solved.

I request the unlock, please.


> An IP address (131.221.85.200) under your control appears to have attacked
> one of our customers as part of a coordinated DDoS botnet. We manually
> reviewed the captures from this attack and do not believe that your IP
> address was spoofed, based on the limited number of distinct hosts
> attacking us, the identicality of many attacking IP addresses to ones
> we've seen in the past, and the non-random distribution of IP addresses.
>
> It is likely that this host is one of the following, from the responses
> that others have sent us:
>
> - A compromised DVR, such as a "Hikvision" brand device (ref:
> http://www.coresecurity.com/advisories/ ... rabilities)
> - A compromised IPMI device, such as one made by Supermicro (possibly
> because it uses the default U/P of ADMIN/ADMIN or because its password was
> found through an exploit described at
> http://arstechnica.com/security/2014/06 ... ory-warns/)
> - A compromised router, such as one made by China Telecom which still
> allows a default admin username and password; one by Netis, with its
> built-in internet-accessible backdoor
> (http://blog.trendmicro.com/trendlabs-se ... -backdoor/);
> or one running an old AirOS version with its exposed administrative
> interface
> - A compromised Xerox-branded device
> - Some other compromised standalone device
> - A compromised webhost, such as one running a vulnerable version of
> WordPress, phpMyAdmin, or zPanel
> - A compromised client, such as one running a vulnerable web browser
> susceptible to a Java exploit
> - A server with an insecure password that was brute-forced, such as
> through SSH or RDP
>
> The actual attack consisted of packets with specific distinguishing
> characteristics. This is example traffic from the IP address, as put out
> by the "tcpdump" utility and captured by our router during the attack.
>
> Date/timestamps (at the very left) are UTC.
>
> 2016-09-21 23:12:17.059129 IP (tos 0x0, ttl 54, id 17431, offset 0, flags
> [none], proto UDP (17), length 1052)
> 131.221.85.200.40565 > 216.52.148.x.3074: UDP, length 1024
> 0x0000: 4500 041c 4417 0000 3611 f63a 83dd 55c8 E...D...6..:..U.
> 0x0010: d834 94a5 9e75 0c02 0408 0144 9cfe 4f17 .4...u.....D..O.
> 0x0020: 541b 75bb 49fc f8f1 6da2 20ec 6b1a f384 T.u.I...m...k...
> 0x0030: 1a1e 4f97 0ea2 63a1 854f b948 bb24 8554 ..O...c..O.H.$.T
> 0x0040: ff5f d5bb 59e9 1a07 584b 5d85 b407 80f8 ._..Y...XK].....
> 0x0050: fc95 ..
> 2016-09-21 23:12:17.175399 IP (tos 0x0, ttl 54, id 46433, offset 0, flags
> [none], proto UDP (17), length 1052)
> 131.221.85.200.26391 > 216.52.148.x.3074: UDP, length 1024
> 0x0000: 4500 041c b561 0000 3611 84f0 83dd 55c8 E....a..6.....U.
> 0x0010: d834 94a5 6717 0c02 0408 23d9 0418 f283 .4..g.....#.....
> 0x0020: 44e9 bdcf cf1c 9bcc 141c 86e7 d80a a7f4 D...............
> 0x0030: c12a 70d4 e429 19c0 4feb a817 a8d2 95db .*p..)..O.......
> 0x0040: 39cd e68e 0883 b987 23f2 1bd7 fa7a 6ea2 9.......#....zn.
> 0x0050: 8be4 ..
> 2016-09-21 23:12:17.393631 IP (tos 0x0, ttl 54, id 38790, offset 0, flags
> [none], proto UDP (17), length 1052)
> 131.221.85.200.30668 > 216.52.148.x.3074: UDP, length 1024
> 0x0000: 4500 041c 9786 0000 3611 a2cb 83dd 55c8 E.......6.....U.
> 0x0010: d834 94a5 77cc 0c02 0408 4835 66ab 1fc1 .4..w.....H5f...
> 0x0020: e694 5f3f a42a 37d0 a186 a481 6849 dcbd .._?.*7.....hI..
> 0x0030: 9102 e77e e365 ec17 3178 d8b2 0bf0 10ed ...~.e..1x......
> 0x0040: b294 a5ab 583f 12df 7bcd 7aae 17e0 80c4 ....X?..{.z.....
> 0x0050: 31fc 1.
> 2016-09-21 23:12:18.743381 IP (tos 0x0, ttl 54, id 33109, offset 0, flags
> [none], proto UDP (17), length 1052)
> 131.221.85.200.8078 > 216.52.148.x.3074: UDP, length 1024
> 0x0000: 4500 041c 8155 0000 3611 b8fc 83dd 55c8 E....U..6.....U.
> 0x0010: d834 94a5 1f8e 0c02 0408 a120 d3a0 f8c2 .4..............
> 0x0020: 6a9f 4f2e 7f4c 4ba1 3f00 33f7 32d8 caf0 j.O..LK.?.3.2...
> 0x0030: 8ebd 2ca2 0035 ff59 f8f4 a236 56b1 0f90 ..,..5.Y...6V...
> 0x0040: 14ae 0857 c0c6 fff7 f3e9 dbd6 7f77 b33b ...W.........w.;
> 0x0050: 1306 ..
> 2016-09-21 23:12:18.867294 IP (tos 0x0, ttl 54, id 1891, offset 0, flags
> [none], proto UDP (17), length 1052)
> 131.221.85.200.43210 > 216.52.148.x.3074: UDP, length 1024
> 0x0000: 4500 041c 0763 0000 3611 32ef 83dd 55c8 E....c..6.2...U.
> 0x0010: d834 94a5 a8ca 0c02 0408 8a45 eccc feaf .4.........E....
> 0x0020: 02ee f5e5 e0ae 1304 40e0 20f3 64cb e0aa ........@...d...
> 0x0030: c4a5 2fe0 8f73 d279 15be 048d 3aff 1321 ../..s.y....:..!
> 0x0040: 597f 8fbc 4c2d 2b56 8ac5 77fe 511f 2340 Y...L-+V..w.Q.#@
> 0x0050: bbd5 ..
>
> (The final octet of our customer's IP address is masked in the above
> output because some automatic parsers become confused when multiple IP
> addresses are included. The value of that octet is "165".)
>
> -John
> President
> NFOservers.com
>
> (We're sending out so many of these notices, and seeing so many
> auto-responses, that we can't go through this email inbox effectively. If
> you have follow-up questions, please contact us at noc@nfoe.net.)
>

[kraze]

You'll need to forward your respond to noc@nfoe.net.

[Edge100x]

We don't filter entire blocks of IPs here except in extreme circumstances, and the ones you mentioned aren't filtered on our end. If your internet provider cut off your access, you'll need to contact them.