Google Search Console Team deems Bad Packets Report a safe website!

Huzzah! Bad Packets Report has been cleared as a safe site by the Google Search Console Team.

Earlier this morning, we received the following notification:

To: Webmaster of https://badpackets[.]net/,

Google has received and processed your security review request. Google systems indicate that https://badpackets[.]net/ no longer contains links to harmful sites or downloads. The warnings visible to users are being removed from your site. This may take a few hours to happen.

Thank you to Google Search Console Team for clearing up this false-positive so quickly! – The mother of all PTR records

Recently, I posted about the IP and the DoS attacks I observed in my syslog. I presumed the reverse DNS record (PTR record) pointing to was just a one-time fake. However, further investigation blew that theory out of the water.

Upon review of the top three networks in my all-time dropped packets list, I saw which is also managed by Quasi Networks LTD and has a PTR record, you guessed it, going to At that point I figured further investigation into this domain name was needed.

IBM X-Force Exchange is reporting the DNS name has 245 associated DNS records of which 244 are PTR records from IP addresses managed by Quasi Networks LTD.  Many of the IP addresses shown have been blacklisted by IBM.

A little further down the page shows was flagged as malware 673 times, mostly for a phishing attack in December 2016. report on is also reporting no-reverse- as malicous, including a link to a post on In the post on MMD, no-reverse- is shown as being used in a DDoS attack in February 2016, referred to as “MMD-0052-2016 – Overview of “SkidDDoS” ELF++ IRC Botnet.” is invoked yet again on DigitalOcean’s community forum back in February 2016 where a user reported, “Strang [sic] activity at auth.log (POSSIBLE BREAK-IN ATTEMPT)” from an IP address with a PTR record going to

So what is the ownership history of the no-reverse- domain name?  According a lookup, the domain name was owned in 2016 by world famous domain name squatter Milen Radumilo. Milen is credited with almost 100,000 registered domain names on DomainTools.

Milen Radumilo squatted on the domain

Milen Radumilo lost a notable domain name dispute against Energizer Brands, LLC for The complaint notes that Milen used the domain name in bad faith, going so far to impersonate the Energizer Bunny to profit from links to third-party websites. Milen was also involved in at least five previous domain name dispute proceedings, each of which resulted in him forfeiting the squatted domain name.

Milen was also exposed in the Flexytalk WordPress plugin incident when he scooped two expired domains and subsequently injected popup scams into the websites using the plugin.

Sometime around March 10, 2017 the domain name ownership of was transferred from Milen Radumilo to Dmitry Vasilev. Similar Quasi Networks Ltd, Dimitry also has an address in Seychelles.

Dmitry is also a prolific domain name squatter, with over 18,000 domains associated to him, mostly under the organization “Kineticdomains Ltd” A prior domain name dispute Dmitry was involved in references his company as “Elmaco Ltd” but no further information is found for either company.

I contacted RIPE NCC regarding the malicious traffic from Quasi Networks and informed them of the of the numerous PTR records pointing to I received a response from RIPC NCC Customer Services that, “In order to have a reverse delagation [sic] PTR records are not a must and therefor [sic] any can create PTR records with false information.”  I followed up with further documentation of the malicious activity Quasi Networks and will update this post with their response.

Google Safe Browsing algorithm labels Bad Packets Report as “unsafe site”

Irony levels reached maximum levels today when Google Safe Browsing labeled Bad Packets Report, our website, as an “unsafe site” per the notification received in the Google Search Console.

False positive report by Google

Unfortunately, no explanation was provided on the Google Transparency Report website noting that:

The site contains harmful content, including pages that:

  • Contain suspicious or unknown software

This is an incredible claim, given that no software is hosted on Bad Packet Reports, nor any URLs that link to “suspicious or unknown software”.

Google did not respond to a request for comment on the matter.

Other Google users are reporting similar issues on the Webmaster Central Help Forum but no explanation has been provided by Google for these false positives.

These false positives may come at a time that Google is adjusting Google Safe Browsing algorithm to enforce higher security requirements for websites.  Google put webmasters on notice in October 2016 advising that all non-HTTPS traffic would eventually display a “Not Secure” warning in Chrome. – Malware remnants from yesteryear or harmless prodding by The Nielsen Company?

Our runner up title for most dropped packets is bestowed upon So what nefarious activity have we seen? On the surface, the attacks appear fairly benign. However, the deeper we go down the rabbit hole, the more we discover!

So what ports are being attacked and how often? Port 35935 was the lowest and 65428 the highest. TCP was the only protocol used and no single port was attacked more than 18 times in the total 2,462 attacks (still in progress).

The quest gets more interesting when we look into the backstory of A WHOIS query returns:

OrgName: Internap Network Services Corporation
Address: 250 Williams Street
Address: Suite E100
City: Atlanta
StateProv: GA
PostalCode: 30303
Country: US
RegDate: 1996-07-18
Updated: 2012-01-24

ARIN’s Abuse Contact page for Internap appears to be out of date by providing a disconnected phone number. I contacted ARIN regarding this and was notified by ARIN hostmaster Jonathan Roberts, “ARIN will attempt to find updated contact information for this record.”

According to Internap Network Services Corporation’s website they are the, “… leading technology provider of internet infrastructure through both Colocation Business and Enterprise Services (including network connectivity, IP, bandwidth, and Managed Hosting), and Cloud Services (including enterprise-grade AgileCLOUD 2.0, Bare-Metal Servers, and SMB iWeb platforms).”

Looking at the map provided on their website, they have a datacenter in Atlanta and presumably that is where lives.

TraceRoute from to
Hop (ms) (ms) (ms) IP Address Host name
1 Timed out Timed out Timed out –
2 1 1 1
3 1 1 1
4 40 41 41
5 40 40 40
6 43 44 43
7 44 44 43
8 48 48 49
9 43 43 43 –
Trace complete

On the second-to-last hop “inapvoxcust” is noted in the hostname. This reveals further details about the owner of, a company named Voxel Dot Net. According to Bloomberg, “Voxel Dot Net, Inc. provides internet hosting services and infrastructure software. The Company offers cloud hosting, circuit testing, interconnection, server racks, firewall, backup, load balancing, power circuits, and recovery solutions” and is also based in Atlanta, GA. Visiting in the browser simply redirects to – putting our investigation into a loop.

So let’s charge further down the rabbit hole and get to the good stuff!  AbuseIPDB users report 42 attacks from, notably DoS attacks dating back to May 3, 2016. Cymon shows malware has been reported for by It gets interesting when we look deeper into the associated domains reported by Cymon:

A Google search yields 5,000+ results for “” and most signs point to a browser hijacker injected through “load.js”.

So who is behind  Visiting in the browser redirects to and the truth is finally revealed.

Shockingly, it is The Nielsen Company (US), LLC. Or as they refer to it, “Nielsen Artificial Intelligence (AI)” and describe it as “Our marketing cloud gives you access to a universe of Nielsen audience data. We help you understand your customers at a level no one else can match. But it doesn’t stop there. Using built-in analytics and Nielsen Artificial Intelligence (AI), our cloud is constantly evaluating the success of your marketing and making adjustments in real-time. The result? Every step of your marketing process gets smarter and more effective.”

The Master Needler –

I’ve been watching the dropped packets for awhile now and feel it’s safe to bestow the title of “The Master Needler” upon them.

So which ports are they poking the most?  Interestingly, the ports attacked were evenly distributed and appear mostly random. The lowest port number attacked was 1000 and the highest was 65506. No single port was attacked more than 26 times. The only protocol used in the attacked was TCP.

The full list of ports attacked by is located here:

As of this writing, I have seen 20,489 unique attacks from No other single IP address found in my syslog comes close to this amount. So who is operating the attack server

A RIPE database query for the subnet yields the following result:

org-name: Quasi Networks LTD.
org-type: OTHER
address: Suite 1, Second Floor
address: Sound & Vision House, Francis Rachel Street
address: Victoria, Mahe, SEYCHELLES
remarks: *****************************************************************************
remarks: *****************************************************************************
remarks: We are a high bandwidth network provider offering bandwidth solutions.
remarks: Government agencies can sent their requests to
remarks: Please only use for abuse reports.
remarks: For all other requests, please see the details on our website.
remarks: *****************************************************************************

Performing a  WHOIS lookup shows a PTR record going to a CNAME for This is a bit odd and likely is a fake/fraudulent PTR record since there is no actual relation to the DNS name.

So when will the attacks stop?  I have not heard back from Quasi Networks yet.

It appears I’m not alone however, others are reporting similar attacks from

AbuseIPDB » was reported 67 times

Time Warner Cable customer reporting a SYN flood attack from

Cymon reports is found in blacklists and noted malicious activities.