Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC: Call for packets - Traffic from 116.177.0.0/16 SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Call for packets - Traffic from 116.177.0.0/16

If you have log records or packets for traffic from this particular subnet.  If you have anything you can share I'd appreciate it.  

Likely what you will have is DNS open resolver checks, as well as SSH bruteforce pwd guessing attacks. I'm interested in those as well as anything else from this subnet. 

Regards

Mark H - markh.isc (at) gmail.com

(Thanks to those of you that have provided packets, logs and other info, much appreciated)

Mark

391 Posts
ISC Handler
Hey Mark - Other than the covering prefix announcement of 116.176.0.0/15 by AS 17619 (Acme Universal, HK) I see that entire massive net block completely dark for over a year on my sensors. Which means it would be ripe for ephemeral BGP hijacking without the owner noticing. Can you share the activity or info that piqued your interest?
Anonymous
some of the http requests we got from this block

ip | http requests parameter after the fqdn


| 116.117.45.62 | /www.iamsharer.com/js.php | - |
| 116.117.45.62 | /mm.iamsharer.com/js.php | - |
| 116.117.45.62 | /www.iamsharer.com/js.php | - |
| 116.117.45.62 | /mm.iamsharer.com/js.php | - |
| 116.117.45.62 | /www.iamsharer.com/js.php | - |
| 116.117.45.62 | /mm.iamsharer.com/js.php | - |
| 116.117.58.95 | /admin/_content/_About/AspCms_AboutEdit.asp | - |
| 116.117.58.95 | /admin/_content/_About/AspCms_AboutEdit.asp | -

| 116.117.228.177 | /69639/9811877.html | - |
| 116.117.228.177 | /69639/9811479.html | - |
| 116.117.228.177 | /71128/10439411.html | - |
| 116.117.228.177 | /71128/9243519.html | - |
| 116.117.228.177 | /69639/9811479.html | -
Anonymous
I thought we were running out of IPv4 addresses? There's a nice chunk we can reclaim.
Dean

135 Posts
I haven't seen anything myself, but seeing that DNS requests can be spoofed, we'll never know for sure if they're originating from said subnet.
Anonymous
The brute force SSH activity from devices throughout the range on several of my honeypots was the first interest. Then detects on client IDSes across several industry sectors. Those were the main drivers for me.

M
Mark

391 Posts
ISC Handler
The traffic I saw was looking for resolvers rather than participating in an amplification. But those could still be spoofed if they own the resolving domain.
Mark

391 Posts
ISC Handler
Searched but did not find any traffic from this subnet. using some probabilistic technique was able to found out most of the IP responds to network unreachable ---- and ttl are 48, 50, 52
makflwana

17 Posts
116.117.x.x. ? 116.117.0.0/16

Was there a typo in the original post? Or did someone read the original ISC post IP range wrong?
Anonymous
Did not find anything from the subnet you mentioned. However, I did receive network unreachable in some response of the requests. Most of the ttl was 48, 42 and 50....
makflwana

17 Posts

Sign Up for Free or Log In to start participating in the conversation!