IP address blacklisted, see #3445 #3881
Comments
|
Hey @rdrown |
|
I noticed the impact of this blacklist as well. If this is again (as it was to issue #3445) due to a black-listed IP used by your CDN provider I would respectfully ask that you guys try to come up with a plan to mitigate future similar events. Large companies that use cyber products to protect their companies will be impacted each time this occurs. As we move to the future, package managers more and more become a critical piece of our development process and the .NET development stack. I believe high availability to the API service needs to be a top priority (I'm sure it already is), and interruptions such as this need to be assessed and mitigated as much as possible. |
|
This should be resolved now. |
We are experiencing similar issues under similar conditions reported on issue #3445, namely our corporate security team has flagged https://api.nuget.org as suspicious and the address has been blocked within the past two days. Now the IP is listed as 72.21.81.200, belonging to Verizon Business, but we are unable to use the V3 API from our corporate network. The V2 API works for package identification, but some our users report that certain necessary operations are not working.
Here is a description of our forensic justification for blocking:
"Over the last 30-days IP 72.21.81.200 has recorded 4,800,671 network events against multiple XXXX hosts. Most of the traffic has been Alerts (2,406,243 events). The source IP has been seen triggering alerts for "Microsoft Windows GDI32.dll cmap numUVSMappings overflow attempt". Source IP is blacklisted by multiple sources and located in the USA. The Source IP address is registered to
Verizon Communications and is based out of North America. IP Void is showing a blacklist status of 2/83. VirusTotal has recently reported a number of malicious files and url that are associated with this IP address. Analysis of the packet data via Sourcefire shows the necessary content needed to exploit this vulnerability with segments: |00 00 00 05 00 00| and |00 0E 00 00| being within 4 bytes of each other. Traffic analysis shows 6 events (Inbound) that were all rejected. Looking at the outbound traffic to this
IP shows 127,035 events in the last 24 hours with 66,080 events reading "access truster." The IP is blacklisted but is registered to Verizon. While Verizon is a legitimate communications company there has been a significant amount of malicious activity reported for this IP address over the last 48 hours. As the exploit attempts were legitimate XXXX is escalating to confirm the outbound traffic is legitimate. Due to this it is recommended that this be escalated to the XXXX team to review to determine if this to determine if this IP should be blocked at the firewall. Based on the malicious nature of this activity XXXX is requesting an IP block."
The text was updated successfully, but these errors were encountered: