12 hrs on Sonic fiber, 61 inbound requests from malicious IP address and counting

General discussions and other topics.
7 posts Page 1 of 1
by gregwaysonicfiber » Sun Nov 24, 2024 12:48 pm
The tech installed the modem yesterday and I swapped over last night about 10pm. In the first 12 hours, MalwareBytes has blocked incoming requests from 61 compromised IP address, and they keep piling up.

I guess most people use Windows Defender or its Mac equivalent these days, and never see what's coming in like this, but boy, it's bad. AT&T, who I've been using the past 4 years, must filter/ban these IP addresses from their network.

Does Sonic have a security setting that I need to enable to filter out these identified malware servers?

Date: 11/23/2024
Time: 8:37 PM
Category: Compromised
IP Address: 35.216.185.223

Date: 11/23/2024
Time: 10:59 PM
Category: RemotePortScan
IP Address: 46.105.132.33

Date: 11/23/2024
Time: 11:47 PM
Category: Compromised
IP Address: 79.110.62.78

Date: 11/23/2024
Time: 11:59 PM
Category: RemotePortScan
IP Address: 103.214.229.236

Date: 11/24/2024
Time: 12:01 AM
Category: Compromised
IP Address: 148.113.208.45

Date: 11/24/2024
Time: 12:04 AM
Category: Compromised
IP Address: 148.113.208.45

Date: 11/24/2024
Time: 12:05 AM
Category: Compromised
IP Address: 200.117.155.65

Date: 11/24/2024
Time: 12:14 AM
Category: Compromised
IP Address: 172.214.115.59

Date: 11/24/2024
Time: 1:50 AM
Category: Compromised
IP Address: 185.180.141.3

Date: 11/24/2024
Time: 3:20 AM
Category: Compromised
IP Address: 154.212.141.198

Date: 11/24/2024
Time: 3:52 AM
Category: Compromised
IP Address: 104.152.52.234

Date: 11/24/2024
Time: 4:03 AM
Category: Compromised
IP Address: 203.69.6.123

Date: 11/24/2024
Time: 4:34 AM
Category: Compromised
IP Address: 34.151.208.99

Date: 11/24/2024
Time: 4:42 AM
Category: Compromised
IP Address: 79.110.62.78

Date: 11/24/2024
Time: 5:01 AM
Category: Compromised
IP Address: 183.134.217.20

Date: 11/24/2024
Time: 5:02 AM
Category: Compromised
IP Address: 180.210.128.83

Date: 11/24/2024
Time: 5:12 AM
Category: Compromised
IP Address: 27.54.170.75

Date: 11/24/2024
Time: 6:39 AM
Category: Compromised
IP Address: 222.231.45.188

Date: 11/24/2024
Time: 6:50 AM
Category: Compromised
IP Address: 91.187.123.160

Date: 11/24/2024
Time: 7:40 AM
Category: RemotePortScan
IP Address: 184.105.139.119

Date: 11/24/2024
Time: 7:55 AM
Category: Compromised
IP Address: 52.189.75.167

Date: 11/24/2024
Time: 7:56 AM
Category: Compromised
IP Address: 34.152.10.0

Date: 11/24/2024
Time: 8:00 AM
Category: Compromised
IP Address: 172.168.155.142

Date: 11/24/2024
Time: 8:02 AM
Category: Compromised
IP Address: 93.123.85.226

Date: 11/24/2024
Time: 8:19 AM
Category: Compromised
IP Address: 104.244.79.24

Date: 11/24/2024
Time: 9:31 AM
Category: RemotePortScan
IP Address: 1.179.128.124

Date: 11/24/2024
Time: 9:41 AM
Category: Compromised
IP Address: 3.136.208.236

Date: 11/24/2024
Time: 10:19 AM
Category: Compromised
IP Address: 172.234.96.249

Date: 11/24/2024
Time: 10:57 AM
Category: Compromised
IP Address: 212.248.64.254

Date: 11/24/2024
Time: 11:05 AM
Category: Compromised
IP Address: 143.208.134.197

Date: 11/24/2024
Time: 11:51 AM
Category: Compromised
IP Address: 123.58.213.117
by dane » Sun Nov 24, 2024 2:06 pm
Are you using the Sonic provided router, which includes a firewall function?
Dane Jasper
Sonic
by js9erfan » Mon Nov 25, 2024 6:57 am
It looks like you're not using a router/firewall between your ont and PC or your PC is in some sort of dmz. I would correct that or bad things will likely happen.
by sonic.boom » Mon Nov 25, 2024 9:09 am
Yes, I would first check to make sure that the firewall is enabled on your router. Additionally, I'm seeing multiple devices (in addition to your router) with assigned IP addresses which is unusual. If you have an ethernet switch, make sure that it's connected to one of the LAN connections on your router and that you don't have the router connected to one of the switch outputs.
Sean M.
Community & Escalations Specialist
by ngufra » Mon Nov 25, 2024 9:26 am
I think what the OP is complaing about is that the packets are reaching them in the first place.
They would like sonic to block packets from these "known bad" ips from entering sonic's network.
However it could be argued it's not up to Sonic to decide who is "known bad" and it's up to the user to use a firewall and set rules to block what they want.
by gregwaysonicfiber » Mon Nov 25, 2024 9:47 am
No, my bad, I plugged the Sonic Fiber modem into an Ethernet switch and from there a single client was attached at first, and I neglected to put my own router in between. Though I did that presuming that the modem performed DCHP and provided NAT; despite being told by the tech it was not a router, I figured that it was in fact a two-port router. (My mistrust of the technician's acumen was based on their inability to understand some pretty basic terms and questions I had about the install. They were a contractor, not a Sonic employee.)

Does that Sonic router contain a dynamic, black/whitelist firewall, or just the Network Address Translation that a router provides?
by ngufra » Mon Nov 25, 2024 10:03 am
I do not use a sonic provided router, just the ONT (I am on 1 Gbps service)
I doubt it would use any list of known good/bad addresses though.

Also note that if you use a swtich after the ONT, each device will get its own public IP until the table fills up at which point i think sonic has to manually clear the table. The table only has a handful of slots; you really should connect a computer to the ont directly just for testing, then put a router with NAT and use private addresses.

Sonic will not throttle or filter you traffic (except port 25 i think).
The corollary is that it won't filter "bad" traffic as the definiton of bad is not always clear cut.
7 posts Page 1 of 1

Who is online

In total there are 0 users online :: 0 registered, 0 hidden and 0 guests (based on users active over the past 5 minutes)
Most users ever online was 2877 on Wed Sep 25, 2024 9:53 pm

Users browsing this forum: No registered users and 0 guests