Main Nav

Message from mail@jeffmoore.com

Hi all - Got a weird one here... Has anyone else noticed that almost all traffic from 91.x.x.x is of a "not so good" nature? We created a custom snort sig a while back to track the 91.x.x.x range because we saw that a majority of TORPIGs control servers were in that range and our institution rarely if ever gets traffic from that net.
What we found interesting was that over the last year or more we have found that every single hit on that signature traced back to be "Not so Nice" hosts. for example: http://www.mcafee.com/threat-intelligence/ip/default.aspx?ip=91.43.140.23  (one from this morning. just mail rep on this one). We have also traced each of these down on our side and have found that the only traffic(initiated from our net) that was not virus/malware related was traffic from "Panda Download Manager" Which we also didn't want and is a shady-ish MP3 download engine. It astounds me that day in day out if we see traffic from this net it is always "Not so Nice"!

I was just curious if you all have been seeing this as well and if not can ya take a peek to see if it rings true with your systems as well?

Maybe I have just gotten lucky. Just a strange little oddity that I was curious if you all have seen.

Thanks All!

--
Jeff Moore
Chemeketa Community College
Cell (503) 910-0756

Comments

Jeff,

I actually have several of the 91.x.x.x address range blocked on our outgoing firewall because I had tracked down malware/bot infected student computers trying to phone home to those address ranges. 

Mike Hanson
Network Security Manager
The College of St. Scholastica
Duluth, MN 55811


Jeff, Just want to clarify: you are referring to 91.0.0.0/8? That's an awful lot of addresses, and AS's. All not nice? Marty On 2/8/2012 11:18 AM, Jeff Moore wrote: > Hi all - Got a weird one here... Has anyone else noticed that almost all > traffic from 91.x.x.x is of a "not so good" nature? We created a custom > snort sig a while back to track the 91.x.x.x range because we saw that a > majority of TORPIGs control servers were in that range and our institution > rarely if ever gets traffic from that net. > What we found interesting was that over the last year or more we have found > that every single hit on that signature traced back to be "Not so Nice" > hosts. for example: > http://www.mcafee.com/threat-intelligence/ip/default.aspx?ip=91.43.140.23 > (one from this morning. just mail rep on this one). We have also traced > each of these down on our side and have found that the only > traffic(initiated from our net) that was not virus/malware related was > traffic from "Panda Download Manager" Which we also didn't want and is a > shady-ish MP3 download engine. It astounds me that day in day out if we see > traffic from this net it is always "Not so Nice"! > > I was just curious if you all have been seeing this as well and if not can > ya take a peek to see if it rings true with your systems as well? > > Maybe I have just gotten lucky. Just a strange little oddity that I was > curious if you all have seen. > > Thanks All! > -- Martin Manjak CISSP, GIAC GSEC-G Information Security Officer University at Albany MSC 209 518/437-3813 The University at Albany will never ask you to reveal your password. Please ignore all such requests.
Message from mail@jeffmoore.com

I know. Sounds crazy but every single one that has hit us and that we have seen hosts contacting have been bad. And have been related to some kind of malware or virus/trojan. I know it sounds crazy but so far over the last year and a half everything from 91.0.0.0/8 has been a nasty. Pretty strange. I'm sure its just a few smaller nets that are involved but it is just amazing that none so far have been legitimate traffic.

Also they match on Emerging Threats "RBN Known Russian Business Network IP" as well as our signature for 91.0.0.0/8. Haven't seen a false positive yet. Pretty crazy.

Jeff M



  Traceroute on that address goes to a client of t-internet.de, which I believe is part of the t-*.de cluster of services possibly affiliated with T-Mobile.
 
  I recall that when I started doing network security, more than 15 years ago, t-dialin.de was a recurring source of "bad" traffic, and their network administrators were the most likely to promise to act on complaints -- to no visible effect.
 
Technology evolves faster than people....
 
David Gillett, CISSP CCNP
 

Same here, I year ago I was seeing torpig traffic from a few 91.x.x.x networks after getting numerous alerts from REN-ISAC. We tracked down the hosts and fixed the problems, haven't seen issues in a while. I think I might check again.



On 2/8/2012 10:18 AM, Jeff Moore wrote:
Hi all - Got a weird one here... Has anyone else noticed that almost all traffic from 91.x.x.x is of a "not so good" nature? We created a custom snort sig a while back to track the 91.x.x.x range because we saw that a majority of TORPIGs control servers were in that range and our institution rarely if ever gets traffic from that net.
What we found interesting was that over the last year or more we have found that every single hit on that signature traced back to be "Not so Nice" hosts. for example: http://www.mcafee.com/threat-intelligence/ip/default.aspx?ip=91.43.140.23  (one from this morning. just mail rep on this one). We have also traced each of these down on our side and have found that the only traffic(initiated from our net) that was not virus/malware related was traffic from "Panda Download Manager" Which we also didn't want and is a shady-ish MP3 download engine. It astounds me that day in day out if we see traffic from this net it is always "Not so Nice"!

I was just curious if you all have been seeing this as well and if not can ya take a peek to see if it rings true with your systems as well?

Maybe I have just gotten lucky. Just a strange little oddity that I was curious if you all have seen.

Thanks All!

--
Jeff Moore
Chemeketa Community College
Cell (503) 910-0756



--
Heath Barnhart, CCNA
Network Administrator
Information Systems Services
Washburn University
Topeka, KS

Funny you should bring this up.  I’ve blocked several /24’s in the 91.x.x.x range over the last couple weeks, including 1 this morning, because of comprehensive network scanning… mostly looking for FTP hosts.

 

-Brian

 

As a general rule, PLEASE DO NOT ASSUME THAT THE INTERNET IS STILL CLASSFUL. It isn't. For example, it's correct that some of 91.0.0.0/8 is Deutsche Telekom. But some of it belongs to a provider in Iran. Some of it is Russian. Those are pretty big differences. Now, when people say that they have been scanned by "everything" in 91.0.0.0/8, do they really mean that they have been scanned by all 16.7 million unique IP addresses in that range? That _does_ seem crazy. Or does it mean they have been scanned by every provider listed in whois? Every originating AS? What research has been done to verify that? I have personally witnessed cases where several legitimate providers were blocked in some cases because of security threat that originated in a particular /16 (from two IP addresses within a /29 of that space!). People assumed that the entire /16 belonged to the "bad guys" and blocked the whole thing! Please don't let this be you... michael
Message from mail@jeffmoore.com

First - Thank you all for responding to my question. It has made it clear that what we were seeing was not crazy but that you all have been seeing similar things. Thanks everyone!!

Second - Michael Sinatra - I am assuming you must have read this on a bad day. I am sorry for any problems you are having. From what I have read from folks on this thread I assume that folks are quite intelligent and that none of them assume that the internet is still classful. It is simply a way that they communicate. Perhaps it is my mistake for how I phrased the question. My apologies if that was the case. I think that these intelligent professionals also have the courtesy not to yell and not to try to make others looks or feel bad. In your case it looks as though my assumptions were incorrect. I am not a member of this group to get into arguments over semantics with folks that have no respect for their peers. If you read my message and the other kind folks that replied you would see that we did not say we got scanned by every host in these ranges. Please take the time to read the messages that you are responding to. I think folks here understand the consequences of blocking entire ranges. Its their job.
So in the future please read the messages thoroughly before replying. And please keep your replies constructive. The kind of reply you sent benefits no one. This listserve is for professionals. Please act like one.

Thank you!

Jeff Moore



Message from mike.lococo@nyu.edu

On 02/10/2012 03:21 PM, Jeff Moore wrote: > I think folks here understand the consequences of blocking entire > ranges. Its their job. So in the future please read the messages > thoroughly before replying. And please keep your replies > constructive. The kind of reply you sent benefits no one. This > listserve is for professionals. Please act like one. It's worth noting that Michael Sinatra is an active and respected member of the higher-ed community (with a handsome first name if I do say so myself). Even if his tone can occasionally be terse, he has a long history of appropriate and professional behavior on list. I think his tone was simply a result of passionate advocacy on an issue that he feels is commonly misunderstood. I happen to agree with him that many folks don't actually have a deep understanding of weird corner cases that dropping large netblocks can create, but reasonable people can weigh the cost/benefit differently. I know several teams that swear by netblock drops as a strategy to reduce their driveby incident rates by large percentages. Maybe everyone can just relax a bit. Cheers, Mike Lococo
Message from mail@jeffmoore.com

Michael - Sorry If I myself came across negatively. I completely understand being passionate about such things. It just speaks to how much you love what you do. I can certainly appreciate that. I may have misinterpreted your email just as you did mine. Sorry for that Michael. I do tend to get a little passionate myself when I feel that peoples openness and communication is being criticized in a public arena. I really feel that everyone has something to offer and when we make folks feel wrong or criticize them in front of others they will probably be less likely to comment and share their experiences the next time. I would think it would be better to ask those folks to clarify(even in a 1 to 1 email) if you think they have said something incorrect instead of approaching it vocally to the whole group. I felt that I understood everyones comments quite well. But perhaps I should have clarified things. I am sorry if I didn't do that. And now that I understand how sensitive you are about that and how important it is to you to communicate the appropriate info I will certainly do my best to make sure to do that.

Sorry Don't mean to create a flame war. And I am sorry to bother everyone elses time with this. Any further communications on this I will make sure will be private and not be to the entire group. I probably should have done that to begin with.

My apologies all!

Jeff M


In a followup, my colleague and friend Michael Sinatra commented: #I don't feel that "91.x.x.x" is very #precise for the same reasons Marty outlined. It may be a useful #shortcut for some, but just as I should be cognizant of how others will #interpret my admittedly-too-emphatic message, so should everyone here. #It is very easy to misinterpret what was being said on this thread with #respect to the exact netblocks and providers that are at issue and that #is of concern to me. There are some pretty large bad blocks out there these days, but the biggest thing I'm currently seeing on the Spamhaus DROP list (see http://www.spamhaus.org/drop/drop.lasso ) is currently "just" a /14, (still, dang! a /*14*?) #The use of capitalization was intended for emphasis and not to make #others look or feel bad, and it was definitely not to simulate #yelling--I apologize for that; Speaking personally, I've never minded all caps. They reminds me of my carefree ASR33 TTY and IBM 26/29 cardpunch-using days, when case was somehow a non-issue. :-) I still remember the "loss of innocence" I felt when I transitioned onto a Televideo 910, and it actually had a shift key. Wow! But boy, did that thing scream right along compared to a 110 baud TTY! :-) #You're correct on that one. I did misread your message. I now see that #you were saying that all of the traffic you have seen in 91.0.0.0/8 has #been bad. I sincerely apologize for that. Given that, it would be #useful to have more information as to exactly which providers in that #block seem to be especially problematic, or which IP addresses (or #classless ranges) appear to be the biggest problem. Spam is not the only measure of badness, obviously, but just by way of example, if you go to: http://www.senderbase.org/senderbase_queries/detailip?search_string=91.1... I *am* seeing an awful lot of red ink (in fairness, note that there are multiple pages per /16 and if you page through, you *will* see some IPs that are green in there, too). That pattern continues, e.g.: http://www.senderbase.org/senderbase_queries/detailip?search_string=91.2... http://www.senderbase.org/senderbase_queries/detailip?search_string=91.3... [etc] (I'll let others have the funny of doing an exhaustive search of all the /16's in that /8). In fairness, http://www.spamhaus.org/pbl/query/PBL681430 (covering DTAG's /12) mentions that "Deutsche Telekom advises against accepting e-mail from dialup IPs. We provide these IP addresses dynamically to our customers for internet access. Proper e-mail delivery should use dedicated servers, which is why attempts of e-mail delivery from dialup-ranges generally can be traced to compromised computers or other misuse." Of course, that begs the question of whether DTAG might not want to just actively manage port 25, themselves, given that philsophy/point of view, but let's not go there. We need to save some fisticuffs for the future. :-) Have a good weekend folks... Regards, Joe Disclaimer: all opinions my own.
Close
Close


Annual Conference
September 29–October 2
View Proceedings

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.