Our runner up title for most dropped packets is bestowed upon 220.127.116.11. So what nefarious activity have we seen? On the surface, the attacks appear fairly benign. However, the deeper we go down the rabbit hole, the more we discover!
So what ports are being attacked and how often? Port 35935 was the lowest and 65428 the highest. TCP was the only protocol used and no single port was attacked more than 18 times in the total 2,462 attacks (still in progress).
The quest gets more interesting when we look into the backstory of 18.104.22.168. A WHOIS query returns:
OrgName: Internap Network Services Corporation
Address: 250 Williams Street
Address: Suite E100
ARIN’s Abuse Contact page for Internap appears to be out of date by providing a disconnected phone number. I contacted ARIN regarding this and was notified by ARIN hostmaster Jonathan Roberts, “ARIN will attempt to find updated contact information for this record.”
According to Internap Network Services Corporation’s website they are the, “… leading technology provider of internet infrastructure through both Colocation Business and Enterprise Services (including network connectivity, IP, bandwidth, and Managed Hosting), and Cloud Services (including enterprise-grade AgileCLOUD 2.0, Bare-Metal Servers, and SMB iWeb platforms).”
Looking at the map provided on their website, they have a datacenter in Atlanta and presumably that is where 22.214.171.124 lives.
TraceRoute from Network-Tools.com to 126.96.36.199
Hop (ms) (ms) (ms) IP Address Host name
1 Timed out Timed out Timed out –
2 1 1 1 188.8.131.52 ntt-level3-200g.dallas1.level3.net
3 1 1 1 184.108.40.206 ae-0.r23.dllstx09.us.bb.gin.ntt.net
4 40 41 41 220.127.116.11 ae-8.r23.snjsca04.us.bb.gin.ntt.net
5 40 40 40 18.104.22.168 ae-45.r01.snjsca04.us.bb.gin.ntt.net
6 43 44 43 22.214.171.124 ae-0.internap.snjsca04.us.bb.gin.ntt.net
7 44 44 43 126.96.36.199 border5.pc1-bbnet1.sje011.pnap.net
8 48 48 49 188.8.131.52 inapvoxcust-3.border3.sje011.pnap.net
9 43 43 43 184.108.40.206 –
On the second-to-last hop “inapvoxcust” is noted in the hostname. This reveals further details about the owner of 220.127.116.11, a company named Voxel Dot Net. According to Bloomberg, “Voxel Dot Net, Inc. provides internet hosting services and infrastructure software. The Company offers cloud hosting, circuit testing, interconnection, server racks, firewall, backup, load balancing, power circuits, and recovery solutions” and is also based in Atlanta, GA. Visiting http://www.voxel.net in the browser simply redirects to www.internap.com – putting our investigation into a loop.
So let’s charge further down the rabbit hole and get to the good stuff! AbuseIPDB users report 42 attacks from 18.104.22.168, notably DoS attacks dating back to May 3, 2016. Cymon shows malware has been reported for 22.214.171.124 by malwr.com. It gets interesting when we look deeper into the associated domains reported by Cymon:
A Google search yields 5,000+ results for “loadr.exelator.com” and most signs point to a browser hijacker injected through “load.js”.
Shockingly, it is The Nielsen Company (US), LLC. Or as they refer to it, “Nielsen Artificial Intelligence (AI)” and describe it as “Our marketing cloud gives you access to a universe of Nielsen audience data. We help you understand your customers at a level no one else can match. But it doesn’t stop there. Using built-in analytics and Nielsen Artificial Intelligence (AI), our cloud is constantly evaluating the success of your marketing and making adjustments in real-time. The result? Every step of your marketing process gets smarter and more effective.”