If you have log records or packets for traffic from this particular subnet. If you have anything you can share I'd appreciate it. Likely what you will have is DNS open resolver checks, as well as SSH bruteforce pwd guessing attacks. I'm interested in those as well as anything else from this subnet. Regards Mark H - markh.isc (at) gmail.com (Thanks to those of you that have provided packets, logs and other info, much appreciated) |
Mark 391 Posts ISC Handler Jun 27th 2014 |
Thread locked Subscribe |
Jun 27th 2014 6 years ago |
Hey Mark - Other than the covering prefix announcement of 116.176.0.0/15 by AS 17619 (Acme Universal, HK) I see that entire massive net block completely dark for over a year on my sensors. Which means it would be ripe for ephemeral BGP hijacking without the owner noticing. Can you share the activity or info that piqued your interest?
|
Anonymous |
Quote |
Jun 27th 2014 6 years ago |
some of the http requests we got from this block
ip | http requests parameter after the fqdn | 116.117.45.62 | /www.iamsharer.com/js.php | - | | 116.117.45.62 | /mm.iamsharer.com/js.php | - | | 116.117.45.62 | /www.iamsharer.com/js.php | - | | 116.117.45.62 | /mm.iamsharer.com/js.php | - | | 116.117.45.62 | /www.iamsharer.com/js.php | - | | 116.117.45.62 | /mm.iamsharer.com/js.php | - | | 116.117.58.95 | /admin/_content/_About/AspCms_AboutEdit.asp | - | | 116.117.58.95 | /admin/_content/_About/AspCms_AboutEdit.asp | - | 116.117.228.177 | /69639/9811877.html | - | | 116.117.228.177 | /69639/9811479.html | - | | 116.117.228.177 | /71128/10439411.html | - | | 116.117.228.177 | /71128/9243519.html | - | | 116.117.228.177 | /69639/9811479.html | - |
Anonymous |
Quote |
Jun 27th 2014 6 years ago |
I thought we were running out of IPv4 addresses? There's a nice chunk we can reclaim.
|
Dean 135 Posts |
Quote |
Jun 27th 2014 6 years ago |
I haven't seen anything myself, but seeing that DNS requests can be spoofed, we'll never know for sure if they're originating from said subnet.
|
Anonymous |
Quote |
Jun 27th 2014 6 years ago |
The brute force SSH activity from devices throughout the range on several of my honeypots was the first interest. Then detects on client IDSes across several industry sectors. Those were the main drivers for me.
M |
Mark 391 Posts ISC Handler |
Quote |
Jun 28th 2014 6 years ago |
The traffic I saw was looking for resolvers rather than participating in an amplification. But those could still be spoofed if they own the resolving domain.
|
Mark 391 Posts ISC Handler |
Quote |
Jun 28th 2014 6 years ago |
Searched but did not find any traffic from this subnet. using some probabilistic technique was able to found out most of the IP responds to network unreachable ---- and ttl are 48, 50, 52
|
makflwana 17 Posts |
Quote |
Jun 28th 2014 6 years ago |
116.117.x.x. ? 116.117.0.0/16
Was there a typo in the original post? Or did someone read the original ISC post IP range wrong? |
Anonymous |
Quote |
Jun 28th 2014 6 years ago |
Did not find anything from the subnet you mentioned. However, I did receive network unreachable in some response of the requests. Most of the ttl was 48, 42 and 50....
|
makflwana 17 Posts |
Quote |
Jun 29th 2014 6 years ago |
Sign Up for Free or Log In to start participating in the conversation!