ThreatSTOP Blog

Why isn't this hosting provider DDOS-GUARDing?

Written by Ofir Ashman | November 2, 2021

Our story with DDoS-Guard Ltd (AS57724) starts with the IP 185.178.208[.]140 - and a spoonful of bewilderment.

During a regular malware-hunting day of internet infrastructure research, a ThreatSTOP analyst noticed some really suspicious domain activity on this particular IP. DDoS-Guard is a Russian Internet infrastructure company that "provides DDoS protection, content delivery network services, and web hosting services".  Yep, we know you're thinking it too - isn't an AS claiming to guard from DDoS (Distributed Denial of Service) attacks supposed to be protecting its users from cyber threats, not serving them? We would think so too, so we absolutely had to take a deeper look:

A glance at the domains hosted on 185.178.208[.]140, and the related malicious files, immediately uncovered that nothing good is going on over there. I mean, come on, who has a legitimate domain that starts with blog.blog.blog...?

Image: VirusTotal

 

ThreatSTOP's Check IOC tool shows that the IP has been in various blocklists over the last few years, including APWG, Cybercrime, and ThreatSTOP's Stealers target. Looking at some of the IPs to its left and right, we started to see some more nasty activity.

 
 
Image: Check IOC

 

While some Autonomous Systems (AS's) stay relatively clean from malware (usually the more expensive, official and secure ones), others are like a playground for cyber attackers. Sometimes, whole areas of the internet will be abused for malicious activity (like Selectel). DDoS-Guard is double trouble in this case - a supposedly "protective" AS with malware spiderwebs hidden inside.

Researching the 185.178.208[.]0/24 address space (hosted in Russia), our analyst discovered a whole IP range (between 185.178.208[.]129 and 185.178.208[.]190) that is being abused for malicious activity, and has been abused for months. Showing up on this range is a variety of different malicious activities, from Exploit Kits, various malware types, phishing, stealer trojans, spam and more.

IPs on 185.178.208[.]0/24 with a malicious instance in the last 6 months, based on VT data. 

 

Another area on the AS known for its maliciousness is 185.223.92[.]0/24. According to CleanTalk, over half of the address space has recently hosted malicious activity.

Image: CleanTalk

 

We highly recommend blocking all IPs in the address space that have been deemed malicious by high quality threat intelligence providers such as the ones we aggregate. To find out if an IP is in our threat targets, use our free Check IP tool.

ThreatSTOP subscribers are automatically protected from attacks launched from these IPs and others as they appear. They can also choose to block traffic from certain countries they don't want their networks to communicate with, such as Russia. Contact us to know more, or see the links at the end of our post to get a demo or trial. 

For your convenience, here is a list of all IP addresses in the 185.178.208[.]0/24 range that we especially recommend blocking:

185.178.208[.]3 185.178.208[.]139 185.178.208[.]152 185.178.208[.]165 185.178.208[.]178
185.178.208[.]4 185.178.208[.]140 185.178.208[.]153 185.178.208[.]166 185.178.208[.]179
185.178.208[.]35 185.178.208[.]141 185.178.208[.]154 185.178.208[.]167 185.178.208[.]180
185.178.208[.]129 185.178.208[.]142 185.178.208[.]155 185.178.208[.]168 185.178.208[.]181
185.178.208[.]130 185.178.208[.]143 185.178.208[.]156 185.178.208[.]169 185.178.208[.]182
185.178.208[.]131 185.178.208[.]144 185.178.208[.]157 185.178.208[.]170 185.178.208[.]183
185.178.208[.]132 185.178.208[.]145 185.178.208[.]158 185.178.208[.]171 185.178.208[.]184
185.178.208[.]133 185.178.208[.]146 185.178.208[.]159 185.178.208[.]172 185.178.208[.]185
185.178.208[.]134 185.178.208[.]147 185.178.208[.]160 185.178.208[.]173 185.178.208[.]186
185.178.208[.]135 185.178.208[.]148 185.178.208[.]161 185.178.208[.]174 185.178.208[.]187
185.178.208[.]136 185.178.208[.]149 185.178.208[.]162 185.178.208[.]175 185.178.208[.]188
185.178.208[.]137 185.178.208[.]150 185.178.208[.]163 185.178.208[.]176 185.178.208[.]189
185.178.208[.]138 185.178.208[.]151 185.178.208[.]164 185.178.208[.]177 185.178.208[.]190

 

Ready to try ThreatSTOP in your network? Want an expert-led demo to see how it works?