Call for packets - Traffic from 116.177.0.0/16

Published: 2014-06-27. Last Updated: 2014-06-28 00:24:48 UTC
by Mark Hofman (Version: 1)
9 comment(s)

If you have log records or packets for traffic from this particular subnet.  If you have anything you can share I'd appreciate it.  

Likely what you will have is DNS open resolver checks, as well as SSH bruteforce pwd guessing attacks. I'm interested in those as well as anything else from this subnet. 

Regards

Mark H - markh.isc (at) gmail.com

(Thanks to those of you that have provided packets, logs and other info, much appreciated)

Keywords:
9 comment(s)

Comments

Hey Mark - Other than the covering prefix announcement of 116.176.0.0/15 by AS 17619 (Acme Universal, HK) I see that entire massive net block completely dark for over a year on my sensors. Which means it would be ripe for ephemeral BGP hijacking without the owner noticing. Can you share the activity or info that piqued your interest?

Anonymous

Jun 27th 2014
1 decade ago

some of the http requests we got from this block

ip | http requests parameter after the fqdn


| 116.117.45.62 | /www.iamsharer.com/js.php | - |
| 116.117.45.62 | /mm.iamsharer.com/js.php | - |
| 116.117.45.62 | /www.iamsharer.com/js.php | - |
| 116.117.45.62 | /mm.iamsharer.com/js.php | - |
| 116.117.45.62 | /www.iamsharer.com/js.php | - |
| 116.117.45.62 | /mm.iamsharer.com/js.php | - |
| 116.117.58.95 | /admin/_content/_About/AspCms_AboutEdit.asp | - |
| 116.117.58.95 | /admin/_content/_About/AspCms_AboutEdit.asp | -

| 116.117.228.177 | /69639/9811877.html | - |
| 116.117.228.177 | /69639/9811479.html | - |
| 116.117.228.177 | /71128/10439411.html | - |
| 116.117.228.177 | /71128/9243519.html | - |
| 116.117.228.177 | /69639/9811479.html | -

Anonymous

Jun 27th 2014
1 decade ago

I thought we were running out of IPv4 addresses? There's a nice chunk we can reclaim.

Anonymous

Jun 27th 2014
1 decade ago

I haven't seen anything myself, but seeing that DNS requests can be spoofed, we'll never know for sure if they're originating from said subnet.

Anonymous

Jun 27th 2014
1 decade ago

The brute force SSH activity from devices throughout the range on several of my honeypots was the first interest. Then detects on client IDSes across several industry sectors. Those were the main drivers for me.

M

Anonymous

Jun 28th 2014
1 decade ago

The traffic I saw was looking for resolvers rather than participating in an amplification. But those could still be spoofed if they own the resolving domain.

Anonymous

Jun 28th 2014
1 decade ago

Searched but did not find any traffic from this subnet. using some probabilistic technique was able to found out most of the IP responds to network unreachable ---- and ttl are 48, 50, 52

Anonymous

Jun 28th 2014
1 decade ago

116.117.x.x. ? 116.117.0.0/16

Was there a typo in the original post? Or did someone read the original ISC post IP range wrong?

Anonymous

Jun 28th 2014
1 decade ago

Did not find anything from the subnet you mentioned. However, I did receive network unreachable in some response of the requests. Most of the ttl was 48, 42 and 50....

Anonymous

Jun 29th 2014
1 decade ago

Login here to join the discussion.


Top of page
Diary Archives