[mailop] Unexpected botnet hybrid post-quantum TLS key-exchange

Sat, 29 Mar 2025 21:09:16 -0700 

The observed TLS handshakes from the (very likely botnet) nodes offer
support for hybrid Post-Quantum key exchange (X25519MLKEM768) (which my
TLS stack then prefers, ensuring its use when supported).

I would not have expected botnets to be quite so bleeding edge in their
TLS support, use of hybrid ML-KEM TLS key exchange is a "-00" IETF
working group draft, adopted by the LAMPS working group just two or so
weeks back.

The source networks for the last couple of days by PTR zone are

     11 comcast.net
      2 tele2.se
      2 ripe.net
      2 apnic.net
      1 wtcmoscow.ru
      1 wanadoo.fr
      1 vodafonedsl.it
      1 uu.net
      1 telia.com
      1 spectrum.com
      1 rt.ru
      1 rima-tde.net
      1 ptspb.ru
      1 ptd.net
      1 pbiaas.com
      1 novotelecom.ru
      1 megafon.ru
      1 maxnet.ua
      1 la.net.ua
      1 kbcnet.rs
      1 inmotionhosting.com
      1 h2.nexus
      1 duhosting.ae
      1 att.net
      1 atlanticbb.net
      1 192-clientes-izzi.mx

With some connections from netblocks with no reverse delegation below /8:

    ;15.217.109.192.in-addr.arpa.   IN      PTR
    192.in-addr.arpa.       1200    IN      SOA     z.arin.net. 
dns-ops.arin.net. 2017039023 1800 900 691200 10800
    ;169.153.20.65.in-addr.arpa.    IN      PTR
    65.in-addr.arpa.        1130    IN      SOA     z.arin.net. 
dns-ops.arin.net. 2017037991 1800 900 691200 10800
    ;19.206.20.65.in-addr.arpa.     IN      PTR
    65.in-addr.arpa.        1130    IN      SOA     z.arin.net. 
dns-ops.arin.net. 2017037991 1800 900 691200 10800
    ;187.162.20.65.in-addr.arpa.    IN      PTR
    65.in-addr.arpa.        1130    IN      SOA     z.arin.net. 
dns-ops.arin.net. 2017037991 1800 900 691200 10800
    ;171.129.20.65.in-addr.arpa.    IN      PTR
    65.in-addr.arpa.        1130    IN      SOA     z.arin.net. 
dns-ops.arin.net. 2017037991 1800 900 691200 10800
    ;71.129.20.65.in-addr.arpa.     IN      PTR
    65.in-addr.arpa.        1130    IN      SOA     z.arin.net. 
dns-ops.arin.net. 2017037991 1800 900 691200 10800
    ;164.204.20.65.in-addr.arpa.    IN      PTR
    65.in-addr.arpa.        1130    IN      SOA     z.arin.net. 
dns-ops.arin.net. 2017037991 1800 900 691200 10800
    ;45.147.20.65.in-addr.arpa.     IN      PTR
    65.in-addr.arpa.        1130    IN      SOA     z.arin.net. 
dns-ops.arin.net. 2017037991 1800 900 691200 10800

Sample logs:

    Mar 30 04:24:48 amnesiac postfix/smtps/smtpd[291156]: Anonymous TLS 
connection established from c-71-57-213-159.hsd1.va.comcast.net[71.57.213.159]: 
TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange 
X25519MLKEM768 server-signature RSA-PSS (2048 bits) server-digest SHA256
    Mar 30 04:24:48 amnesiac postfix/smtps/smtpd[291156]: NOQUEUE: reject: 
CONNECT from c-71-57-213-159.hsd1.va.comcast.net[71.57.213.159]: 554 5.7.1 
Service unavailable; Client host [71.57.213.159] blocked using 
zen.spamhaus.org; Listed by XBL, see 
https://check.spamhaus.org/query/ip/71.57.213.159 / Listed by CSS, see 
https://check.spamhaus.org/query/ip/71.57.213.159 / Listed by PBL, see 
https://check.spamhaus.org/query/ip/71.57.213.159; proto=SMTP

-- 
    Viktor.
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop

Reply via email to