A Project of a security researcher that does this for good is the Openresolverproject.org.
An example of a booter is the person running the different .asia and .us attacks.
Such as :
- MyDnsScan.Us
- Nukes / dongs.DirectedAt.Asia
- Dd0s.Asia
The person responsible for these domains has been exposed in the following blog post: Dns Amplification Attacks, Booter services and who's behind them
Around the same time this blog was posted I was digging around to find out when I first started seeing these .Asia domains and if I could find a discovery query.
And I did!
The first .asia activity I observed on one of my nodes was on April 25th 2013.
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 18:xx client 89.248.160.192#42474 (directedat.asia): query: directedat.asia IN ANY +E (w.x.y.z)
25-Apr-2013 12:xx client 89.248.160.192#44330 (.): query: . IN ANY +E (w.x.y.z)
This IP is from the Dutch hosting provider Ecatel and this is not the only IP from them either. Looking at all the unique IPs and their AS number that performed .asia requests you see a clear pattern.
Count IP ISP
36 50.7.190.60 AS5580 Atrato IP Networks
5 84.246.124.136 AS34568 ConnectingBytes GmbH
9 192.151.149.90 AS33387 DataShack, LC
8 192.187.102.74 AS33387 DataShack, LC
3 160.83.8.79 AS8373 Deutsche Bank AG
23 89.248.168.94 AS29073 Ecatel Network
15 89.248.160.192 AS29073 Ecatel Network
11 89.248.172.173 AS29073 Ecatel Network
7 94.102.63.20 AS29073 Ecatel Network
6 93.174.93.72 AS29073 Ecatel Network
5 89.248.171.125 AS29073 Ecatel Network
4 94.102.52.95 AS29073 Ecatel Network
4 94.102.63.22 AS29073 Ecatel Network
3 89.248.168.178 AS29073 Ecatel Network
2 80.82.64.25 AS29073 Ecatel Network
2 93.174.93.219 AS29073 Ecatel Network
1 80.82.64.235 AS29073 Ecatel Network
1 80.82.65.153 AS29073 Ecatel Network
1 80.82.66.27 AS29073 Ecatel Network
1 89.248.168.170 AS29073 Ecatel Network
1 89.248.168.219 AS29073 Ecatel Network
1 93.174.93.45 AS29073 Ecatel Network
1 93.174.93.98 AS29073 Ecatel Network
1 94.102.49.2 AS29073 Ecatel Network
1 94.102.56.219 AS29073 Ecatel Network
56 178.18.19.140 AS18779 EGIHosting
36 178.18.26.213 AS18779 EGIHosting
7 178.18.17.16 AS18779 EGIHosting
1 178.18.26.76 AS18779 EGIHosting
1 79.110.83.80 AS47195 Gameforge Productions GmbH
81 134.19.181.30 AS57172 Global Layer B.V.
44 188.95.48.25 AS57172 Global Layer B.V.
28 134.19.181.28 AS57172 Global Layer B.V.
51 213.239.204.50 AS24940 Hetzner Online AG
1 188.132.242.149 AS42910 Hosting Internet Hizmetleri Sanayi ve
2 188.138.109.53 AS8972 intergenia AG
14 192.162.137.62 AS16265 LeaseWeb B.V.
3 199.71.233.202 AS47869 Netrouting Data Facilities
1 109.235.51.224 AS47869 Netrouting Data Facilities
12 37.220.19.98 AS35662 Redstation Limited
4 88.150.195.29 AS35662 Redstation Limited
1 37.220.17.66 AS35662 Redstation Limited
1 46.249.58.116 AS50673 Serverius Holding B.V.
2 173.242.114.26 AS46664 VolumeDrive
1 199.19.110.200 AS46664 VolumeDrive
1 74.118.193.43 AS46664 VolumeDrive
50 109.236.83.163 AS49981 WorldStream
Top 10 Bad Hosts 2013 Q1
HE Rank | HE Index | AS Number | Name | Country |
---|---|---|---|---|
1 | 152.38 | AS29073 | Ecatel Network | NL |
2 | 149.22 | AS58001 | Ideal Solution Ltd | RU |
3 | 146.69 | AS6697 | Beltelecom | BY |
4 | 141.69 | AS29182 | ISPsystem | RU |
5 | 136.65 | AS16276 | OVH Systems | FR |
6 | 134.49 | AS24940 | Hetzner Online AG | DE |
7 | 133.96 | AS40034 | Confluence Networks Inc VG | VG |
8 | 133.83 | AS197774 | Smovskaya Valentina Ivanovna | UA |
9 | 132.18 | AS11042 | Landis Holdings Inc | US |
10 | 131.11 | AS47764 | Mail.Ru LLC | RU |
89.248.172.95 NL-ECATEL
ReplyDelete89.248.169.9
89.248.167.19
I received notices from Malwarebytes software that they were added as Web Exclusions
What should I do?
Thanks,
Mike