Call for packets - Traffic from 116.177.0.0/16

Published: 2014-06-27
Last Updated: 2014-06-28 00:24:48 UTC
by Mark Hofman (Version: 1)
9 comment(s)

If you have log records or packets for traffic from this particular subnet.  If you have anything you can share I'd appreciate it.  

Likely what you will have is DNS open resolver checks, as well as SSH bruteforce pwd guessing attacks. I'm interested in those as well as anything else from this subnet. 

Regards

Mark H - markh.isc (at) gmail.com

(Thanks to those of you that have provided packets, logs and other info, much appreciated)

Keywords:
9 comment(s)

Comments

Hey Mark - Other than the covering prefix announcement of 116.176.0.0/15 by AS 17619 (Acme Universal, HK) I see that entire massive net block completely dark for over a year on my sensors. Which means it would be ripe for ephemeral BGP hijacking without the owner noticing. Can you share the activity or info that piqued your interest?
some of the http requests we got from this block

ip | http requests parameter after the fqdn


| 116.117.45.62 | /www.iamsharer.com/js.php | - |
| 116.117.45.62 | /mm.iamsharer.com/js.php | - |
| 116.117.45.62 | /www.iamsharer.com/js.php | - |
| 116.117.45.62 | /mm.iamsharer.com/js.php | - |
| 116.117.45.62 | /www.iamsharer.com/js.php | - |
| 116.117.45.62 | /mm.iamsharer.com/js.php | - |
| 116.117.58.95 | /admin/_content/_About/AspCms_AboutEdit.asp | - |
| 116.117.58.95 | /admin/_content/_About/AspCms_AboutEdit.asp | -

| 116.117.228.177 | /69639/9811877.html | - |
| 116.117.228.177 | /69639/9811479.html | - |
| 116.117.228.177 | /71128/10439411.html | - |
| 116.117.228.177 | /71128/9243519.html | - |
| 116.117.228.177 | /69639/9811479.html | -
I thought we were running out of IPv4 addresses? There's a nice chunk we can reclaim.
I haven't seen anything myself, but seeing that DNS requests can be spoofed, we'll never know for sure if they're originating from said subnet.
The brute force SSH activity from devices throughout the range on several of my honeypots was the first interest. Then detects on client IDSes across several industry sectors. Those were the main drivers for me.

M
The traffic I saw was looking for resolvers rather than participating in an amplification. But those could still be spoofed if they own the resolving domain.
Searched but did not find any traffic from this subnet. using some probabilistic technique was able to found out most of the IP responds to network unreachable ---- and ttl are 48, 50, 52
116.117.x.x. ? 116.117.0.0/16

Was there a typo in the original post? Or did someone read the original ISC post IP range wrong?
Did not find anything from the subnet you mentioned. However, I did receive network unreachable in some response of the requests. Most of the ttl was 48, 42 and 50....

Diary Archives