Skynet Skynet blocking microsoft CIDR blocks

[agilani]

Ok this is my 4th problem with Skynet since Adam left.

I checked and it looked like Firehol is reporting microft CIDR block as bad and its blocking linkedin. Shouldn't this be whitelisted by skynet already?


13.107.246.10 is NOT in set Skynet-Whitelist.
13.107.246.10 is in set Skynet-Blacklist.
13.107.246.10 is NOT in set Skynet-BlockedRanges.

Blacklist Reason;
"BanMalware: firehol_level3.netset"


Part of the following Microsoft Blocks

13.64.0.0/11, 13.96.0.0/13, 13.104.0.0/14

I manually whitelisted the whole range.

 

[dave14305]

Seems like that IP is iffy right now. Skynet doing its job based on the public lists. Your prerogative to whitelist, but not all of Microsoft's IP space can necessarily be trusted outright.

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

otx.alienvault.com

 

[Wallace_n_Gromit]

Ok this is my 4th problem with Skynet since Adam left.

I checked and it looked like Firehol is reporting microft CIDR block as bad and its blocking linkedin. Shouldn't this be whitelisted by skynet already?


13.107.246.10 is NOT in set Skynet-Whitelist.
13.107.246.10 is in set Skynet-Blacklist.
13.107.246.10 is NOT in set Skynet-BlockedRanges.

Blacklist Reason;
"BanMalware: firehol_level3.netset"


Part of the following Microsoft Blocks

13.64.0.0/11, 13.96.0.0/13, 13.104.0.0/14

I manually whitelisted the whole range.

...but not all of Microsoft's IP space can necessarily be trusted outright.

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

otx.alienvault.com

I seem to recall that it is possible, and some nefarious entities have, hijacked internet space/IP range(s) that is not being used by it's current legitimate owners and have claimed it (perhaps?) illegally as their own to achieve some credibility that the true owners have and thus many Internet traffic filters will allow.

Part of the current issue is that with the limited availability of IPV4 space/ranges that, such space is very valuable and is being sold by their legitimate owners for big bucks. Some entities have found ways to hijack this limited IPV4 space. I remember a past Security Now episode mentioning a European ISP that was "stealing" IPV4 ranges for its own use.

Years of watching Security Now have filled my head with all these bits of trivia.

So I cannot immediately back up my claim, does anyone know what this phenomenon is called?

EDIT: Though I haven't been able to find the specific SN episode that mentions this issue... this Stackexchange thread mentions how one "good" ISP could have an IP range stolen by a "EvilCo" ISP because of their unique position and capabilities that ISP's have using BGP.

[https://security.stackexchange.com/...-my-ip-address-and-use-it-as-their-own#224017]

"... Many (most?) BGP hijacking incidents are “operator error” rather than intentional. In some cases companies find IPv4 address space that is assigned to a no-longer-operational entity and use that for business operations. IPv4 address space is scarce and expensive due to IP address depletion. "

 

[agilani]

Its called BGP highjacking. Happens all the time especially when tier 1 ISP's accept and advertise someone else's block without any checking or approval. Typically larger companies like Microsoft and google actively monitor for this however.

 

[Kingp1n]

My son was having issues connecting to GoW (Microsoft exclusive game) servers but once I whitelisted 13.107.246.10 all is working right now.

 

[agilani]

interestingly enough, i don't see it in the ipset right now

https://github.com/firehol/blocklist-ipsets/blob/master/firehol_level3.netset

manually updated the skynet whitelist and it cleared it up.

 

[SpasilliumNexus]

Sure enough this was why on my phone I couldn't not launch any games in the Xbox Game Pass app, nor could use Remote Play on the Series X from the Xbox app.

Not to mention that anything tied to managing my Microsoft Account was slow to browse, or didn't load at all.

 

[bengalih]

Still having this issue today. Been noticing that I have been unable to access OneDrive for at least a week or so.
Noticed yesterday I could access it over my phone's cellular and then tried VPN on my PC and it worked.
Investigated Skynet and found "13.107.42.13 is in set Skynet-Blacklist".
Whitelisted CIDR 13.104.0.0/14 and now is working.
People who maintain these public lists need to be more diligent. Threats are everywhere, you can't block legitimate services by the largest corporations in the world.

 

[L&LD]

With great power comes great responsibility. On the part of the user.

 

[bengalih]

With great power comes great responsibility. On the part of the user.

Will agree to disagree. Security should not be something for only the IT competent. When legitimate services are blocked because of a handful of temporary rogue reports what happens is people disregard the security mechanisms completely.
There are multiple parties at fault here, the least of which is the user.

 

[L&LD]

I would agree with your assessment if this was a paid-for offering.

This is an optional script, offered on optional firmware. I think you can do the math here. I haven't bought an axe recently that can fell trees on its own.

We're responsible for our actions. Whether we know what we're doing or not. My statement stands.

 

[bengalih]

I would agree with your assessment if this was a paid-for offering.

This is an optional script, offered on optional firmware. I think you can do the math here. I haven't bought an axe recently that can fell trees on its own.

We're responsible for our actions. Whether we know what we're doing or not. My statement stands.

Just to be clear I'm not laying fault on Adamm as his efforts go mostly unrewarded. I haven't kept up with what public blacklists are superior for many many years and can only assume that his choices in those were considered somewhat standard practice at the time (or perhaps were just free to access making them an attractive option). I realize he is not responsible for maintaining those lists.

From my time (many years ago) when I would need to work with various blacklist providers when it came to removing client's IPs from SPAM blacklists all I can say is it is very easy to get placed on these and quite a bit harder to get removed.

I think the fault mostly lies with the parties that maintain these lists in ensuring that they are giving better investigation to blocks of IPs which control major services which large swaths of not only individual, but schools and businesses use. It is ridiculous to block access to OneDrive for weeks everyone using your list just because some IP on that block possibly had a malicious actor for a few hours.

The rest of the fault lies with Microsoft who is responsible for any malicious actors that might appear on their IPs and for contacting/cleaning up those lists in cases like this. But, if it is anything like what I recall from managing SPAM lists there are a lot of rinky-dink lists out there (or even decent ones, but tons of them) that it is difficult to know which ones you might be on and actually get quick resolution to be removed from them.
I don't think there is much responsibility after that to fall on the head of the user apart from the generic "caveat emptor" warning one needs to be aware of when choosing to use anything. If security isn't balanced with productivity it will get discarded, and anyone who really understands that space should take precaution to ensure that doesn't happen.

I was posting mostly to make people aware (if someone was searching like I was) that this was still an ongoing issue - or at least an old issue that has cropped up again. While I'm sure there are a lot of proficient people out there using this tool, I'm sure the majority would still be at a loss if they were to lose access to what would commonly be considered safe and legitimate swaths of the Internet.