This is the second time in the last couple months I have discovered a user with the AliExpress Android app installed on their device with outgoing traffic being labeled as "SSL_HELLO_Msg_DoS". Both times the user claims to have NOT been using this application but it shows on their device as using data recently without being active in the background.
Our IPS shows the outgoing traffic to the following IP addresses:
220.127.116.11 (Alibaba - San Francisco)
Everything I can find on the SSL_HELLO_Msg_DoS signature is that it i an old attack and most likely not effective anymore.
Does anyone think this is just valid traffic being identified incorrectly , or is something else going on here. I only have the events form our IPS to investigate and no packet captures.
Both users have deleted the application from their devices.
Aug 19th 2016
3 years ago