New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Who is IP Volume Inc?
I'm getting port scans, attacks, and constant connections from an ISP called "IP Volume Inc". After a bit of research, I found they were previously known as "Quasi Network Ltd". I checked out their website (ipvolume.net) but I couldn't find a way to buy/rent a server. Seems like their company is based in Seychelles, although their physical datacenters are located in Amsterdam.
Is Novogara BV (novogara.com) IP Volume Inc? Or, who's this network and where are people getting servers from them?
Thanks.
Comments
So you are getting port scans and now want to buy a Server for Port scans?
i guess he tried to see if they sell servers in the first place
I'm trying to see if all the port scans and attacks are done by the admins themselves or if they sell servers. I'm not interested in port scans.
PubertyVPS maybe.
This is indeed Novogara/Ecatel/Quasi Network Ltd/etc, please read: https://nl.wikipedia.org/wiki/IP_Volume .
They have hosted some other more nasty stuff before, you can read about it on major news sites also or the page above. I just permanently block their entire AS in my FW or even in the bird BGP daemon as filter because out of experience i didn't receive any good / legitimate requests from them and they are mostly scans/bruteforce.
Just saving resources as much as i can by blocking it.
(You'll have to translate the wikipedia article)
They are Ecatel, the drain of the internet, like a big sinkhole of abusive content ran by Reinier van Eeden. They have a lot of subcompanies and subsidiaries: Quasi Networks Ltd, FiberXpress BV, REBA Communications BV, Novogara Ltd, DataOne BV, Alsycon BV, Incrediserve Ltd.
In fact, there is a hoster here on LET (I won't call names) which uses the same registered office, and is also getting transit from "Ecatel", but it's not owned by Reinier. Strange business choice
We simply drop all traffic coming from their ASN's.
They are the cesspool of the internet, along with social media outlets.
Thank you FoxelVox. I was getting constant attacks, port scans and vulnerability scans to my servers that host SMTP, IMAP, and other services. But the rDNS links to Group-IB (the Russian cybersecurity firm). Seems like that Russian firm is also using IP Volume's servers. I've written an abuse report to IP Volume ([email protected]) but I'm yet to get a response. I'm just going to drop their netblocks permanently from my server as I've lost patience with them.
Russian cyber companies frequently use "Dutch" providers to have access inside Europe, combined with their Acceptable Use Policy (which is everything) it's a good combo.
Didn't they get slapped around by the Dutch tax authorities or something? I thought they stopped operating around then too, guess not.
They keep rebranding as well as changing personnel, meaning the one who's really behind their operations is someone else who hasn't been exposed.
And, if I recall correctly, they had a part in BurstNet's downfall.
Real cesspool, the lot.
Ah, I see. Interesting.
Anyway, I think this'd do the job of keeping them away.
Seems like shodan scanners also operate within IP Volume Inc's netblocks:
IPv4: 80.82.77.139
HOSTNAME: dojo.census.shodan.io
LOGS: https://pastebin.com/raw/HLfwDNLU
The Dutch newspaper wrote a longread about IPVolume/Ecatel/Novogara/ReBa Communications.
https://www.nrc.nl/nieuws/2021/04/02/the-cesspool-of-the-internet-is-to-be-found-in-a-village-in-north-holland-a4038369
I just have benn researching for IP Volume.
I found that infinityvps[.]net and one3erver[.]com,underhost[.]com resell this provider.
There may be any other provider...
I continue pursuing IP Volume👍.
Glad I ran into this thread. I've been having the same issue. Great job on those ranges.
Here's to hoping we stay ahead of this