The Hall of Shame has been updated with a list of known IP addresses that have participated in a coordinated DDoS attack. This list will be updated as more attacks are analyzed and cataloged.
The Hall of Shame has been updated with a list of known IP addresses with PTR records going to no-reverse-dns-configured.com.
I have found the following IP addresses in my syslog with PTR records going to no-reverse-dns-configured.com. 126.96.36.199 was previously discussed due to the sheer volume of attacks.
All IP addresses are managed by Quasi Networks LTD, per the RIPE Database lookup.
|188.8.131.52||11||TCP & UDP|
Huzzah! Bad Packets Report has been cleared as a safe site by the Google Search Console Team.
Earlier this morning, we received the following notification:
To: Webmaster of https://badpackets[.]net/,
Google has received and processed your security review request. Google systems indicate that https://badpackets[.]net/ no longer contains links to harmful sites or downloads. The warnings visible to users are being removed from your site. This may take a few hours to happen.
Thank you to Google Search Console Team for clearing up this false-positive so quickly!
Recently, I posted about the IP 184.108.40.206 and the DoS attacks I observed in my syslog. I presumed the reverse DNS record (PTR record) pointing to no-reverse-dns-configured.com was just a one-time fake. However, further investigation blew that theory out of the water.
Upon review of the top three networks in my all-time dropped packets list, I saw 220.127.116.11 which is also managed by Quasi Networks LTD and has a PTR record, you guessed it, going to no-reverse-dns-configured.com. At that point I figured further investigation into this domain name was needed.
IBM X-Force Exchange is reporting the DNS name no-reverse-dns-configured.com has 245 associated DNS records of which 244 are PTR records from IP addresses managed by Quasi Networks LTD. Many of the IP addresses shown have been blacklisted by IBM.
A little further down the page shows no-reverse-dns-
Threatcrowd.org is also reporting no-reverse- dns-configured.com as malicous, including a link to a post on MalwareMustDie.org. In the post on MMD, no-reverse- dns-configured.com is shown as being used in a DDoS attack in February 2016, referred to as “MMD-0052-2016 – Overview of “SkidDDoS” ELF++ IRC Botnet.”
no-reverse-dns-configured.com is invoked yet again on DigitalOcean’s community forum back in February 2016 where a user reported, “Strang [sic] activity at auth.log (POSSIBLE BREAK-IN ATTEMPT)” from an IP address with a PTR record going to no-reverse-dns-configured.com.
So what is the ownership history of the no-reverse- dns-configured.com domain name? According a ThreatMiner.org lookup, the domain name was owned in 2016 by world famous domain name squatter Milen Radumilo. Milen is credited with almost 100,000 registered domain names on DomainTools.
Milen Radumilo lost a notable domain name dispute against Energizer Brands, LLC for saidenergizer.com. The complaint notes that Milen used the domain name in bad faith, going so far to impersonate the Energizer Bunny to profit from links to third-party websites. Milen was also involved in at least five previous domain name dispute proceedings, each of which resulted in him forfeiting the squatted domain name.
Milen was also exposed in the Flexytalk WordPress plugin incident when he scooped two expired domains and subsequently injected popup scams into the websites using the plugin.
Sometime around March 10, 2017 the domain name ownership of no-reverse-dns-configured.com was transferred from Milen Radumilo to Dmitry Vasilev. Similar Quasi Networks Ltd, Dimitry also has an address in Seychelles.
Dmitry is also a prolific domain name squatter, with over 18,000 domains associated to him, mostly under the organization “Kineticdomains Ltd” A prior domain name dispute Dmitry was involved in references his company as “Elmaco Ltd” but no further information is found for either company.
I contacted RIPE NCC regarding the malicious traffic from Quasi Networks and informed them of the of the numerous PTR records pointing to no-reverse-dns-configured.com. I received a response from RIPC NCC Customer Services that, “In order to have a reverse delagation [sic] PTR records are not a must and therefor [sic] any can create PTR records with false information.” I followed up with further documentation of the malicious activity Quasi Networks and will update this post with their response.
Unfortunately, no explanation was provided on the Google Transparency Report website noting that:
The site badpackets.net contains harmful content, including pages that:
- Contain suspicious or unknown software
This is an incredible claim, given that no software is hosted on Bad Packet Reports, nor any URLs that link to “suspicious or unknown software”.
Google did not respond to a request for comment on the matter.
These false positives may come at a time that Google is adjusting Google Safe Browsing algorithm to enforce higher security requirements for websites. Google put webmasters on notice in October 2016 advising that all non-HTTPS traffic would eventually display a “Not Secure” warning in Chrome.
Our runner up title for most dropped packets is bestowed upon 18.104.22.168. So what nefarious activity have we seen? On the surface, the attacks appear fairly benign. However, the deeper we go down the rabbit hole, the more we discover!
So what ports are being attacked and how often? Port 35935 was the lowest and 65428 the highest. TCP was the only protocol used and no single port was attacked more than 18 times in the total 2,462 attacks (still in progress).
The quest gets more interesting when we look into the backstory of 22.214.171.124. A WHOIS query returns:
OrgName: Internap Network Services Corporation
Address: 250 Williams Street
Address: Suite E100
ARIN’s Abuse Contact page for Internap appears to be out of date by providing a disconnected phone number. I contacted ARIN regarding this and was notified by ARIN hostmaster Jonathan Roberts, “ARIN will attempt to find updated contact information for this record.”
According to Internap Network Services Corporation’s website they are the, “… leading technology provider of internet infrastructure through both Colocation Business and Enterprise Services (including network connectivity, IP, bandwidth, and Managed Hosting), and Cloud Services (including enterprise-grade AgileCLOUD 2.0, Bare-Metal Servers, and SMB iWeb platforms).”
Looking at the map provided on their website, they have a datacenter in Atlanta and presumably that is where 126.96.36.199 lives.
TraceRoute from Network-Tools.com to 188.8.131.52
Hop (ms) (ms) (ms) IP Address Host name
1 Timed out Timed out Timed out –
2 1 1 1 184.108.40.206 ntt-level3-200g.dallas1.level3.net
3 1 1 1 220.127.116.11 ae-0.r23.dllstx09.us.bb.gin.ntt.net
4 40 41 41 18.104.22.168 ae-8.r23.snjsca04.us.bb.gin.ntt.net
5 40 40 40 22.214.171.124 ae-45.r01.snjsca04.us.bb.gin.ntt.net
6 43 44 43 126.96.36.199 ae-0.internap.snjsca04.us.bb.gin.ntt.net
7 44 44 43 188.8.131.52 border5.pc1-bbnet1.sje011.pnap.net
8 48 48 49 184.108.40.206 inapvoxcust-3.border3.sje011.pnap.net
9 43 43 43 220.127.116.11 –
On the second-to-last hop “inapvoxcust” is noted in the hostname. This reveals further details about the owner of 18.104.22.168, a company named Voxel Dot Net. According to Bloomberg, “Voxel Dot Net, Inc. provides internet hosting services and infrastructure software. The Company offers cloud hosting, circuit testing, interconnection, server racks, firewall, backup, load balancing, power circuits, and recovery solutions” and is also based in Atlanta, GA. Visiting www.voxel.net in the browser simply redirects to www.internap.com – putting our investigation into a loop.
So let’s charge further down the rabbit hole and get to the good stuff! AbuseIPDB users report 42 attacks from 22.214.171.124, notably DoS attacks dating back to May 3, 2016. Cymon shows malware has been reported for 126.96.36.199 by malwr.com. It gets interesting when we look deeper into the associated domains reported by Cymon:
A Google search yields 5,000+ results for “loadr.exelator.com” and most signs point to a browser hijacker injected through “load.js”.
So who is behind exelator.com? Visiting www.exelator.com in the browser redirects to www.exelate.com and the truth is finally revealed.
Shockingly, it is The Nielsen Company (US), LLC. Or as they refer to it, “Nielsen Artificial Intelligence (AI)” and describe it as “Our marketing cloud gives you access to a universe of Nielsen audience data. We help you understand your customers at a level no one else can match. But it doesn’t stop there. Using built-in analytics and Nielsen Artificial Intelligence (AI), our cloud is constantly evaluating the success of your marketing and making adjustments in real-time. The result? Every step of your marketing process gets smarter and more effective.”
I’ve been watching the dropped packets for 188.8.131.52 awhile now and feel it’s safe to bestow the title of “The Master Needler” upon them.
So which ports are they poking the most? Interestingly, the ports attacked were evenly distributed and appear mostly random. The lowest port number attacked was 1000 and the highest was 65506. No single port was attacked more than 26 times. The only protocol used in the attacked was TCP.
The full list of ports attacked by 184.108.40.206 is located here: https://pastebin.com/w0uca8q6
As of this writing, I have seen 20,489 unique attacks from 220.127.116.11. No other single IP address found in my syslog comes close to this amount. So who is operating the attack server 18.104.22.168?
A RIPE database query for the 22.214.171.124/24 subnet yields the following result:
org-name: Quasi Networks LTD.
address: Suite 1, Second Floor
address: Sound & Vision House, Francis Rachel Street
address: Victoria, Mahe, SEYCHELLES
remarks: IMPORTANT INFORMATION
remarks: We are a high bandwidth network provider offering bandwidth solutions.
remarks: Government agencies can sent their requests to email@example.com
remarks: Please only use firstname.lastname@example.org for abuse reports.
remarks: For all other requests, please see the details on our website.
Performing a WHOIS lookup shows a PTR record going to a CNAME for no-reverse-dns-configured.com. This is a bit odd and likely is a fake/fraudulent PTR record since there is no actual relation to the DNS name.
So when will the attacks stop? I have not heard back from Quasi Networks yet.
It appears I’m not alone however, others are reporting similar attacks from 126.96.36.199:
Time Warner Cable customer reporting a SYN flood attack from 188.8.131.52