Interserver (AS19318) has been added to the ASN watchlist.
In the last 24 hours, AS19318 has originated the most abusive network traffic, proportionate to the IP space announced – a single /24:
109.205.213.0/24
Outside of our internally collected data, we see a correlation with AbuseIPDB user reports for this netblock – a whopping total of 62,416 abuse reports, as of this writing.
This is not an isolated incident for Interserver. They have demonstrated a repeated track record of providing network services to cybercriminals. It is advisable to not route any packets from this autonomous system unless you absolutely need to.
In the last six years, Internet Weather sensors have never detected unsolicited Encapsulating Security Payload (ESP) packets.
This changed on 2023-11-09 14:52:12 when the first ever ESP packet was detected.
ESP (IP protocol number 50) packets are normally used to encapsulate IPsec traffic between VPN endpoints. Outside of this, you would never expect to see this kind of activity traversing your network. Additionally, ESP packets may not be filtered by your edge or client-side (CPE) firewalls. Due to this we recommend checking your firewall configurations to drop this traffic.
Here’s an example to drop ESP traffic using iptables:
sudo iptables -A INPUT -p esp -j DROP
Example unique IPv4 packet header values of ESP traffic we’ve detected:
PROTO=ESP
LEN=29
LEN=1388
ID=65530
SPI=0x77b40000
SPI=0x87700000
SPI=0xc2440000
SPI=0xadac0000
Example source IP address of unsolicited ESP packets:
Note: These hosts may be compromised and/or part of a botnet intentionally sending this traffic.
IP
202.113.98.96
Reverse DNS
–
Country
China
AS Name
China Education and Research Network Center
ASN
AS4538
IP
170.203.203.155
Reverse DNS
customer.sttlwax1.pop.starlinkisp.net
Country
Canada
AS Name
SPACEX-STARLINK
ASN
AS14593
IP
45.124.59.134
Reverse DNS
ftth-static-134-59-124-45.dctv.com.ph
Country
Philippines
AS Name
DCTV Cable Network Broadband Services Inc
ASN
AS133334
IP
1.2.128.142
Reverse DNS
node-3y.pool-1-2.dynamic.totinternet.net
Country
Thailand
AS Name
TOT Public Company Limited
ASN
AS23969
UPDATE 2023-11-13
NANOG members are also reporting strange IPsec traffic, see this thread for more details:
We are currently reviewing every legacy autonomous system number (ASN) and IPv4 netblocks in the ARIN region and notifying resource holders who at risk.
Affected parties will receive an email providing details on which specific resources are at risk and provide guidance on the action needed to secure them.
AS22769, formerly known as “DDOSING NETWORK” and “DDOSING-BGP-NETWORK” is now back in the global routing table as a legitimate organization: Valley Strong Credit Union. This is due to ARIN reclaiming the autonomous system number (ASN) and re-issuing it, per their Return and Revocation Process for internet number resources.
Previously, AS22769 was a fraudulent autonomous system that originated thousands of IPv4 addresses between 2018 and 2022. Despite a fraud report being filed with ARIN in 2018, AS22769 was allowed to pollute the internet with various forms of cybercrime (malware hosting, DDoS botnet command-and-control servers, phishing sites, exploit activity, etc.) for years.
Over time, the Whois record for AS22769 reported two different fake street addresses and non-functioning phone number:
282 W. 1st St.
LA CA 90012
999 alkn unit #1999
rolande CA 99888
+1-909-878-9999
Point of Contact: Tom Jack
The legitimacy of the IPv4 space originated by AS22769 was highly suspect. Additionally, AS22769 originated bogon prefixes (unassigned IP space) – regardless, the opinion of ARIN at the time was, “routing a bogon by itself is not a cardinal sin” and they, “leave routing to network operators.”
In August 2019, a request for comment from ARIN CEO John Curran was forwarded to another employee who advised AS22769 (known as DDoSing Network) was, “[not] eligible to receive additional number resources from ARIN until their [fake] information has been updated.”
At the time, these netblocks were registered to an organization called Cloud Innovation. Owner Lu Heng was asked if AS22769 was authorized to route the prefixes, to which his associate Tingting Xu, confirmed that AS22769 was indeed authorized. After this reassurement, AS22769 and all announced prefixes remained in the global routing table until its mysterious demise in February 2022.
AS22769 routing history – Generated by: RIPEstat
So what happened to all the IPv4 space announced by AS22769?
Lucky for us, an archived copy of the netblocks (BGP prefixes) announced by AS22769 in 2018 was archived here. Historical global routing data is also available via RIPEstat.
Let’s use BGP.Tools and find out who routes those netblocks today:
Prefix
Current ASN
14.192.4.0/24
None*
14.192.5.0/24
None*
14.192.6.0/24
None*
14.192.7.0/24
None*
43.224.224.0/24
None**
43.224.225.0/24
None**
43.224.226.0/24
None**
43.224.227.0/24
None**
103.116.46.0/24
AS135542
103.200.33.0/24
AS133334
154.95.1.0/24
None***
223.130.8.0/24
None
223.130.9.0/24
None
223.130.10.0/24
None
223.130.11.0/24
None
+ 288 more prefixes
(coming soon)
* APNIC RIR allocation found for less specific prefix 14.192.4.0/22
** APNIC RIR allocation found for less specific prefix 43.224.224.0/22
*** Less specific 154.95.0.0/23 announced by AS9009. Less specific 154.95.0.0/17 and 154.92.0.0/14 announced by AS35916.
In summary – AS22769 is now assigned to, and operated by, a legitimate organization. You should not include AS22769 in your routing blocklist.
AS400161 is the autonomous system that originates the scanning traffic from “security researchers” that state on their website they “wish to make internet free, safe and accessible to all.”
Strangely these guys can’t seem to get their own name right and use the following known aliases:
Academy of Internet Research Limited Liability Company
The Hawaii Business Registration Division, Department of Commerce & Consumer Affairs (similar to the Secretary of State in other US states) has no company record on file for any of those names.
Emails to tech@academyforinternetresearch.org have gone unanswered. Phone calls to 1-833-439-0956 immediately disconnect after a brief busy signal. A Whois Inaccuracy Report has been filed with ARIN.
AS400161 originates two prefixes:
104.156.155.0/24
195.96.137.0/24
The majority of their scanning activity comes from the 104.156.155.0/24 netblock. Drop all traffic and do not route any source IP addresses in these ranges.
AS14987 is the autonomous system that originates the scanning traffic of a now seemingly defunct “research project” known as InterneTTL.
These scans originate from the 104.152.52.0/24 netblock and each IP has a reverse DNS (PTR) record of “internettl.org” – a website that stopped functioning sometime after September 2021, per data provided by the Internet Archive and urlscan.io.
BGP.tools notes that 104.152.52.0/24 is originated by AS14987 and AS139989 (CV Atha Media Prima). The BGP Toolkit, provided Hurricane Electric, notes the lesser specific prefix 104.152.52.0/22 is announced by AS14987 and AS51088 (A2B IP B.V.).
Using the RIPEstat tool BGPplay, we can see AS51088 is noted as an Origin AS, however it does not appear the route propagated to the wider internet. The cause of these routing shenanigans is not known, so we’ll regard it as a red herring in the dubious history of InterneTTL.
Given the high volume of scanning activity, with no opt-out mechanism, you would be wise to drop all traffic from 104.152.52.0/24.
In the last 24 hours, AS209160 has originated the most abusive network traffic, proportionate to the IP space announced – a single /24:
78.128.113.0/24
Outside of our internally collected data, we see a correlation with AbuseIPDB user reports for this netblock – an insane total of 383,680 abuse reports, as of this writing.
It is advisable to not route any packets from this autonomous system.
In the last 24 hours, AS209559 has originated the most abusive network traffic, proportionate to the IP space announced – a single /24:
80.66.83.0/24
Outside of our internally collected data, we see a correlation with AbuseIPDB user reports for this netblock – a whopping total of 46,545 abuse reports, as of this writing.
Additionally, you may note that XHOST INTERNET SOLUTIONS LP’s other autonomous system – AS208091 – is already listed in our ASN watchlist. It is advisable to not route any packets from either autonomous system.
BtHoster LTD (AS198465) has been added to the ASN watchlist. In the last week, AS198465 has originated the most abusive network traffic, proportionate to the IP space announced – two /24’s:
45.129.14.0/24
77.90.185.0/24
Outside of our internally collected data, we see a correlation with AbuseIPDB user reports for these netblocks – a whopping combined total of 146,763 abuse reports, as of this writing.
We recommend you examine your relationship with this AS and consider your options before routing traffic from them.
