The Master Needler – 80.82.65.66

I’ve been watching the dropped packets for 80.82.65.66 awhile now and feel it’s safe to bestow the title of “The Master Needler” upon them.

So which ports are they poking the most?  Interestingly, the ports attacked were evenly distributed and appear mostly random. The lowest port number attacked was 1000 and the highest was 65506. No single port was attacked more than 26 times. The only protocol used in the attacked was TCP.

The full list of ports attacked by 80.82.65.66 is located here: https://pastebin.com/w0uca8q6

As of this writing, I have seen 20,489 unique attacks from 80.82.65.66. No other single IP address found in my syslog comes close to this amount. So who is operating the attack server 80.82.65.66?

A RIPE database query for the 80.82.65.0/24 subnet yields the following result:

org-name: Quasi Networks LTD.
org-type: OTHER
address: Suite 1, Second Floor
address: Sound & Vision House, Francis Rachel Street
address: Victoria, Mahe, SEYCHELLES
remarks: *****************************************************************************
remarks: IMPORTANT INFORMATION
remarks: *****************************************************************************
remarks: We are a high bandwidth network provider offering bandwidth solutions.
remarks: Government agencies can sent their requests to gov.request@quasinetworks.com
remarks: Please only use abuse@quasinetworks.com for abuse reports.
remarks: For all other requests, please see the details on our website.
remarks: *****************************************************************************

Performing a  WHOIS lookup shows a PTR record going to a CNAME for no-reverse-dns-configured.com. This is a bit odd and likely is a fake/fraudulent PTR record since there is no actual relation to the DNS name.

Fake PTR record for 80.82.65.66

So when will the attacks stop?  I have not heard back from Quasi Networks yet.

It appears I’m not alone however, others are reporting similar attacks from 80.82.65.66:

AbuseIPDB » 80.82.65.66 was reported 67 times

Time Warner Cable customer reporting a SYN flood attack from 80.82.65.66

Cymon reports 80.82.65.66 is found in blacklists and noted malicious activities.

One Reply to “The Master Needler – 80.82.65.66”

Leave a Reply