ThreatSTOP recently had the ASN 64484 Jupiter 25 (also known as DMZHOST) brought to our attention as the source of some DDoS attacks. This AS is a fascinating one that has a single upstream (Quasi Networks – a hosting provider formerly and notoriously known as Ecatel) and announces just a single /24.
The single /24 is not, of itself, an indicator of badness. (ThreatSTOP’s AS also announces a single /24) However, it does suggest that the AS is not a major hosting provider since only about 250 separate unNATed hosts can be run on that network.
With those few hosts, you might think that the potential for malicious activity would also be limited. If you did think that, you would be wrong. If you search our IOC database for information on that subnet (126.96.36.199/24) you discover that 32 of the individual IP addresses are currently listed as bad for one reason or another. Another 7 were bad earlier this month, and that was in the time since this range was first brought to our attention in May 2016. It has racked up almost 2000 separate reasons for some, or all, of it to be blocked. If you search other sources of IOC, you will find hundreds of other hits, although many of them are undoubtedly duplicates of the ones in our database.
There are current and former port scanners, SSH attackers, IMAP attackers, SIP attackers, Phishing sites, Botnet C2s, Crypto mining C2s and Ransomware hosts in the list of blocks. If you take a look at passive DNS, you see domains active in the last few days that are faking banks like Wells Fargo, ING and UBS. (As well as DNS servers being used to resolve domains hosted elsewhere that are equally shady)
All in all, it is actually quite impressive and shows that criminals will cheerfully reuse infrastructure they can trust to perform different kinds of malicious activity. This is a part of the Internet that seems to have no legitimate, benign activity. Plus, since ThreatSTOP is blocking the entire subnet, our customers are protected against all of the threats from this subnet, whether new or old, no matter whether the threats are inbound attacks or outbound call-homes.
Attacks from this subnet are blocked at the initial connection which means that IDSes and other analytical tools can use their resources elsewhere and most importantly our customers are protected against attacks from this subnet that exploit zero-days or unpatched vulnerabilities without needing to worry exactly what the attack is attempting to exploit.
Want to learn more about how ThreatSTOP blocks these attacks and the free tools we have available to check IPs? Check us out below.