When an IP is in a number of blocklists and it tries to make over 20 Million (yes, you read that right!) connection attempts with our customer devices, it definitely catches our attention. This is exactly what the IP address 89.248.165[.]118 did. Just Memorial Day morning showed around 30K hits in our customer logs from this IP.
So what is this pesky address doing? According to AbuseIPDB, the IP 89.248.165[.]118 has been reported over five thousand times as partaking in port scanning and brute force activities. AlienVault's OTX shows 17 different user-created threat pulses based on Honeypot logs that include the IP, and two threat intelligence vendors claim it to be malicious on VirusTotal. As shown in ThreatSTOP's CheckIOC results, DShield, CINS Army and APWG also deemed the IP malicious due to its constant scanning attempts. Yet a look at the IP's Whois information shows what claims to be a legit project called the "Recyber Project":
Image: Virustotal
Visiting the website listed under their Whois information, we get an uninformative webpage with two sentences that does not say enough for an unfamiliar person to understand if this is really a legitimate security project.
Image: Recyber
Not too long ago, we started raising the question on our blog - what do we do when good IPs behave badly? This gets even harder when a user cannot easily tell if the IP is actually legitimate, though it claims to be. At ThreatSTOP, we believe in a default of caution. If it looks fishy, and there's no big downside to barring the IP from your network, block it. You may end up thanking us for that later. ThreatSTOP uses over 800 threat intelligence sources to integrate the best leads on long-standing, as well as recently debuted threats, balancing between the necessary caution to catch more threats before they reach your network, and sophisticated protection logic to avoid false positives. Among our blocklists, we provide a number of targets that include scanner and scanning attack IOCs, including SNMP, SSH, Telnet, DNS, SMB, VOIP H323, SIP and Telephony Abuse, IMAP, FTP, Brute Force attacks and more.
ThreatSTOP also offers a target bundle, Monitoring Services IPs, that lets users whitelist legitimate third-party companies that monitor network connectivity and uptime for their clients’ infrastructure. These services can sometimes be mistaken for scans and malicious activity, and whitelisting their IPs ensures these services do not get blocked for customers who use them to monitor their networks.
Ready to try ThreatSTOP in your network? Want an expert-led demo to see how it works?