ThreatSTOP Blog

When Good IPs Behave Badly - likeĀ 146.88.240[.]4

Written by Ofir Ashman | May 14, 2021

Detecting, verifying and blocking malicious traffic is already quite the challenge in today's rapidly changing cyber threat landscape. Legitimate IPs acting like bad threat actors take this challenge one step further.

Let's take the IP 146.88.240[.]4 for example. This IP was seen attempting to pester our customer networks this week, with over 5.8 Million connections blocked to/from the IP by our systems. Community comments on threat exchange platforms variously asserted that this IP is just a benign Arbor scanner or that it hosts a ton of maliciousness. Even just taking a look at the intel above, provided by IP-46, shows a range of malicious activity. This data comes from over 60 distinct reporters, and 10 distinct threat intelligence sources. ThreatSTOP's Check IOC analysis tool also shows that the IP has been deemed malicious by various threat intelligence sources, including DShield, Green Snow, CINS, and the IP has been flagged as malicious by 7 security vendors on VirusTotal, receiving a community score of minus 12.

 

A deeper look using Check IOC's DNS lookup shows that this IP hosts www.arbor-observatory.com, a legitimate Arbor Networks website explaining that the IP in question is part of an Internet safety initiative which identifies services that can potentially be abused by attackers. They explain: "Internet scanning is often viewed as a malicious activity but can also be used by crawlers and other large-scale scanners to drive traffic, obtain useful statistics, and in our case gather knowledge that will go towards making the Internet a safer place."

So what are you supposed to do when an IP used to make the Internet better acts like a cyber threat and gets caught in loads of security nets? Well, the good news is there's no downside to blocking them, and out of an abundance of caution that is the default for ThreatSTOP. But if you want to help Arbor out you can whitelist their IP range in the knowledge it isn't actually malicious.

 

Ready to try ThreatSTOP in your network? Want an expert-led demo to see how it works?