Another look into’s troubled past

I previously reported on and the current and previous owners.  But what about the February 2016 botnet attacks? Who was the owner when the domain name was invoked in those attacks?

According to DomainTools, the owner of in February 2016 was Slawek Modrzejewski.  Slawek was original owner of the domain name since it was first registered in 11/15/2015.

On 4/9/2016, the registration for was dropped by GoDaddy.  Five days later, the registration was picked up by SouthNames Inc. ( with an anonymous owner protected by United Privacy Corp, which is based in Belize.

In addition to the number WHOIS record updates for, there has been an equally historic hosting history.  As of this writing, has been pointed to 14 different IP addresses, shown in the illustration below from DomainTools.

Epic hosting history!

During the botnet attacks, the hosting IP address was changed to which is managed by ColoCrossing.  After the attacks the server IP address was changed to – which is a bit odd as that IP is managed by Alascom, Inc. in Anchorage, Alaska.  Further information provided by DomainTools shows 78 domain names have A records going to

This leads to none of those domain names actually resolving anywhere, which may appear to be some sort of “spammer nullroute”.  The full list of the 78 domain names pointing to is available here. I notified AT&T/Alascom about these fake A records pointing to their infastructure and will follow up if I hear back from their NOC/IPAM team.

Hall of Shame updated with known IP addresses with PTR records going to

The Hall of Shame has been updated with a list of known IP addresses with PTR records going to

I have found the following IP addresses in my syslog with PTR records going to was previously discussed due to the sheer volume of attacks.

All IP addresses are managed by Quasi Networks LTD, per the RIPE  Database lookup.

Source IP count Protocol 20489 TCP 91 TCP 11 TCP & UDP 11 TCP 7 UDP 4 UDP 3 UDP 2 TCP 2 TCP 2 TCP 1 TCP 1 TCP 1 TCP 1 TCP

Google Search Console Team deems Bad Packets Report a safe website!

Huzzah! Bad Packets Report has been cleared as a safe site by the Google Search Console Team.

Earlier this morning, we received the following notification:

To: Webmaster of https://badpackets[.]net/,

Google has received and processed your security review request. Google systems indicate that https://badpackets[.]net/ no longer contains links to harmful sites or downloads. The warnings visible to users are being removed from your site. This may take a few hours to happen.

Thank you to Google Search Console Team for clearing up this false-positive so quickly! – The mother of all PTR records

Recently, I posted about the IP and the DoS attacks I observed in my syslog. I presumed the reverse DNS record (PTR record) pointing to was just a one-time fake. However, further investigation blew that theory out of the water.

Upon review of the top three networks in my all-time dropped packets list, I saw which is also managed by Quasi Networks LTD and has a PTR record, you guessed it, going to At that point I figured further investigation into this domain name was needed.

IBM X-Force Exchange is reporting the DNS name has 245 associated DNS records of which 244 are PTR records from IP addresses managed by Quasi Networks LTD.  Many of the IP addresses shown have been blacklisted by IBM.

A little further down the page shows was flagged as malware 673 times, mostly for a phishing attack in December 2016. report on is also reporting no-reverse- as malicous, including a link to a post on In the post on MMD, no-reverse- is shown as being used in a DDoS attack in February 2016, referred to as “MMD-0052-2016 – Overview of “SkidDDoS” ELF++ IRC Botnet.” is invoked yet again on DigitalOcean’s community forum back in February 2016 where a user reported, “Strang [sic] activity at auth.log (POSSIBLE BREAK-IN ATTEMPT)” from an IP address with a PTR record going to

So what is the ownership history of the no-reverse- domain name?  According a lookup, the domain name was owned in 2016 by world famous domain name squatter Milen Radumilo. Milen is credited with almost 100,000 registered domain names on DomainTools.

Milen Radumilo squatted on the domain

Milen Radumilo lost a notable domain name dispute against Energizer Brands, LLC for The complaint notes that Milen used the domain name in bad faith, going so far to impersonate the Energizer Bunny to profit from links to third-party websites. Milen was also involved in at least five previous domain name dispute proceedings, each of which resulted in him forfeiting the squatted domain name.

Milen was also exposed in the Flexytalk WordPress plugin incident when he scooped two expired domains and subsequently injected popup scams into the websites using the plugin.

Sometime around March 10, 2017 the domain name ownership of was transferred from Milen Radumilo to Dmitry Vasilev. Similar Quasi Networks Ltd, Dimitry also has an address in Seychelles.

Dmitry is also a prolific domain name squatter, with over 18,000 domains associated to him, mostly under the organization “Kineticdomains Ltd” A prior domain name dispute Dmitry was involved in references his company as “Elmaco Ltd” but no further information is found for either company.

I contacted RIPE NCC regarding the malicious traffic from Quasi Networks and informed them of the of the numerous PTR records pointing to I received a response from RIPC NCC Customer Services that, “In order to have a reverse delagation [sic] PTR records are not a must and therefor [sic] any can create PTR records with false information.”  I followed up with further documentation of the malicious activity Quasi Networks and will update this post with their response.

Google Safe Browsing algorithm labels Bad Packets Report as “unsafe site”

Irony levels reached maximum levels today when Google Safe Browsing labeled Bad Packets Report, our website, as an “unsafe site” per the notification received in the Google Search Console.

False positive report by Google

Unfortunately, no explanation was provided on the Google Transparency Report website noting that:

The site contains harmful content, including pages that:

  • Contain suspicious or unknown software

This is an incredible claim, given that no software is hosted on Bad Packet Reports, nor any URLs that link to “suspicious or unknown software”.

Google did not respond to a request for comment on the matter.

Other Google users are reporting similar issues on the Webmaster Central Help Forum but no explanation has been provided by Google for these false positives.

These false positives may come at a time that Google is adjusting Google Safe Browsing algorithm to enforce higher security requirements for websites.  Google put webmasters on notice in October 2016 advising that all non-HTTPS traffic would eventually display a “Not Secure” warning in Chrome. – Malware remnants from yesteryear or harmless prodding by The Nielsen Company?

Our runner up title for most dropped packets is bestowed upon So what nefarious activity have we seen? On the surface, the attacks appear fairly benign. However, the deeper we go down the rabbit hole, the more we discover!

So what ports are being attacked and how often? Port 35935 was the lowest and 65428 the highest. TCP was the only protocol used and no single port was attacked more than 18 times in the total 2,462 attacks (still in progress).

The quest gets more interesting when we look into the backstory of A WHOIS query returns:

OrgName: Internap Network Services Corporation
Address: 250 Williams Street
Address: Suite E100
City: Atlanta
StateProv: GA
PostalCode: 30303
Country: US
RegDate: 1996-07-18
Updated: 2012-01-24

ARIN’s Abuse Contact page for Internap appears to be out of date by providing a disconnected phone number. I contacted ARIN regarding this and was notified by ARIN hostmaster Jonathan Roberts, “ARIN will attempt to find updated contact information for this record.”

According to Internap Network Services Corporation’s website they are the, “… leading technology provider of internet infrastructure through both Colocation Business and Enterprise Services (including network connectivity, IP, bandwidth, and Managed Hosting), and Cloud Services (including enterprise-grade AgileCLOUD 2.0, Bare-Metal Servers, and SMB iWeb platforms).”

Looking at the map provided on their website, they have a datacenter in Atlanta and presumably that is where lives.

TraceRoute from to
Hop (ms) (ms) (ms) IP Address Host name
1 Timed out Timed out Timed out –
2 1 1 1
3 1 1 1
4 40 41 41
5 40 40 40
6 43 44 43
7 44 44 43
8 48 48 49
9 43 43 43 –
Trace complete

On the second-to-last hop “inapvoxcust” is noted in the hostname. This reveals further details about the owner of, a company named Voxel Dot Net. According to Bloomberg, “Voxel Dot Net, Inc. provides internet hosting services and infrastructure software. The Company offers cloud hosting, circuit testing, interconnection, server racks, firewall, backup, load balancing, power circuits, and recovery solutions” and is also based in Atlanta, GA. Visiting in the browser simply redirects to – putting our investigation into a loop.

So let’s charge further down the rabbit hole and get to the good stuff!  AbuseIPDB users report 42 attacks from, notably DoS attacks dating back to May 3, 2016. Cymon shows malware has been reported for by It gets interesting when we look deeper into the associated domains reported by Cymon:

A Google search yields 5,000+ results for “” and most signs point to a browser hijacker injected through “load.js”.

So who is behind  Visiting in the browser redirects to and the truth is finally revealed.

Shockingly, it is The Nielsen Company (US), LLC. Or as they refer to it, “Nielsen Artificial Intelligence (AI)” and describe it as “Our marketing cloud gives you access to a universe of Nielsen audience data. We help you understand your customers at a level no one else can match. But it doesn’t stop there. Using built-in analytics and Nielsen Artificial Intelligence (AI), our cloud is constantly evaluating the success of your marketing and making adjustments in real-time. The result? Every step of your marketing process gets smarter and more effective.”

The Master Needler –

I’ve been watching the dropped packets for awhile now and feel it’s safe to bestow the title of “The Master Needler” upon them.

So which ports are they poking the most?  Interestingly, the ports attacked were evenly distributed and appear mostly random. The lowest port number attacked was 1000 and the highest was 65506. No single port was attacked more than 26 times. The only protocol used in the attacked was TCP.

The full list of ports attacked by is located here:

As of this writing, I have seen 20,489 unique attacks from No other single IP address found in my syslog comes close to this amount. So who is operating the attack server

A RIPE database query for the subnet yields the following result:

org-name: Quasi Networks LTD.
org-type: OTHER
address: Suite 1, Second Floor
address: Sound & Vision House, Francis Rachel Street
address: Victoria, Mahe, SEYCHELLES
remarks: *****************************************************************************
remarks: *****************************************************************************
remarks: We are a high bandwidth network provider offering bandwidth solutions.
remarks: Government agencies can sent their requests to
remarks: Please only use for abuse reports.
remarks: For all other requests, please see the details on our website.
remarks: *****************************************************************************

Performing a  WHOIS lookup shows a PTR record going to a CNAME for This is a bit odd and likely is a fake/fraudulent PTR record since there is no actual relation to the DNS name.

Fake PTR record for

So when will the attacks stop?  I have not heard back from Quasi Networks yet.

It appears I’m not alone however, others are reporting similar attacks from

AbuseIPDB » was reported 67 times

Time Warner Cable customer reporting a SYN flood attack from

Cymon reports is found in blacklists and noted malicious activities.