Our story with DDoS-Guard Ltd (AS57724) starts with the IP 185.178.208[.]140 - and a spoonful of bewilderment.
During a regular malware-hunting day of internet infrastructure research, a ThreatSTOP analyst noticed some really suspicious domain activity on this particular IP. DDoS-Guard is a Russian Internet infrastructure company that "provides DDoS protection, content delivery network services, and web hosting services". Yep, we know you're thinking it too - isn't an AS claiming to guard from DDoS (Distributed Denial of Service) attacks supposed to be protecting its users from cyber threats, not serving them? We would think so too, so we absolutely had to take a deeper look:
A glance at the domains hosted on 185.178.208[.]140, and the related malicious files, immediately uncovered that nothing good is going on over there. I mean, come on, who has a legitimate domain that starts with blog.blog.blog...?
ThreatSTOP's Check IOC tool shows that the IP has been in various blocklists over the last few years, including APWG, Cybercrime, and ThreatSTOP's Stealers target. Looking at some of the IPs to its left and right, we started to see some more nasty activity.
While some Autonomous Systems (AS's) stay relatively clean from malware (usually the more expensive, official and secure ones), others are like a playground for cyber attackers. Sometimes, whole areas of the internet will be abused for malicious activity (like Selectel). DDoS-Guard is double trouble in this case - a supposedly "protective" AS with malware spiderwebs hidden inside.
Researching the 185.178.208[.]0/24 address space (hosted in Russia), our analyst discovered a whole IP range (between 185.178.208[.]129 and 185.178.208[.]190) that is being abused for malicious activity, and has been abused for months. Showing up on this range is a variety of different malicious activities, from Exploit Kits, various malware types, phishing, stealer trojans, spam and more.
Another area on the AS known for its maliciousness is 185.223.92[.]0/24. According to CleanTalk, over half of the address space has recently hosted malicious activity.
We highly recommend blocking all IPs in the address space that have been deemed malicious by high quality threat intelligence providers such as the ones we aggregate. To find out if an IP is in our threat targets, use our free Check IP tool.
ThreatSTOP subscribers are automatically protected from attacks launched from these IPs and others as they appear. They can also choose to block traffic from certain countries they don't want their networks to communicate with, such as Russia. Contact us to know more, or see the links at the end of our post to get a demo or trial.
For your convenience, here is a list of all IP addresses in the 185.178.208[.]0/24 range that we especially recommend blocking:
| 185.178.208[.]3 | 185.178.208[.]139 | 185.178.208[.]152 | 185.178.208[.]165 | 185.178.208[.]178 |
| 185.178.208[.]4 | 185.178.208[.]140 | 185.178.208[.]153 | 185.178.208[.]166 | 185.178.208[.]179 |
| 185.178.208[.]35 | 185.178.208[.]141 | 185.178.208[.]154 | 185.178.208[.]167 | 185.178.208[.]180 |
| 185.178.208[.]129 | 185.178.208[.]142 | 185.178.208[.]155 | 185.178.208[.]168 | 185.178.208[.]181 |
| 185.178.208[.]130 | 185.178.208[.]143 | 185.178.208[.]156 | 185.178.208[.]169 | 185.178.208[.]182 |
| 185.178.208[.]131 | 185.178.208[.]144 | 185.178.208[.]157 | 185.178.208[.]170 | 185.178.208[.]183 |
| 185.178.208[.]132 | 185.178.208[.]145 | 185.178.208[.]158 | 185.178.208[.]171 | 185.178.208[.]184 |
| 185.178.208[.]133 | 185.178.208[.]146 | 185.178.208[.]159 | 185.178.208[.]172 | 185.178.208[.]185 |
| 185.178.208[.]134 | 185.178.208[.]147 | 185.178.208[.]160 | 185.178.208[.]173 | 185.178.208[.]186 |
| 185.178.208[.]135 | 185.178.208[.]148 | 185.178.208[.]161 | 185.178.208[.]174 | 185.178.208[.]187 |
| 185.178.208[.]136 | 185.178.208[.]149 | 185.178.208[.]162 | 185.178.208[.]175 | 185.178.208[.]188 |
| 185.178.208[.]137 | 185.178.208[.]150 | 185.178.208[.]163 | 185.178.208[.]176 | 185.178.208[.]189 |
| 185.178.208[.]138 | 185.178.208[.]151 | 185.178.208[.]164 | 185.178.208[.]177 | 185.178.208[.]190 |
Ready to try ThreatSTOP in your network? Want an expert-led demo to see how it works?