[nsp-sec] A puzzle, not urgent. 198.18.0.0/15, RFC2544

[Scott A. McIntyre]

All,

In looking at my daily darknet data I've noticed a considerable amount of traffic to:

NetRange:   198.18.0.0 - 198.19.255.255
CIDR:       198.18.0.0/15
NetName:    NETBLK-NDTL
NetHandle:  NET-198-18-0-0-1
Parent:     NET-198-0-0-0-0
NetType:    IANA Special Use
Comment:    This block is reserved for special purposes.
Comment:    Please see RFC 2544 for additional information.

This is in the Cymru bogon feed, and I've long since used it for dumping into never-never land on my network.

However, after a huge spike of traffic to this range yesterday, I decided to look a bit more closely.  

I'm seeing a lot of traffic to www.msftncsi.com -- which, ostensibly, is in line with the use as documented in RFC2544 -- of course Microsoft doesn't actually USE this IP range for this connectivity testing (rightly not) but I find it interesting that some customers are getting IPs out of DNS in that range for this host.

Other interesting hosts and URLs:

198.18.1.7:443 - "CONNECT 198.18.1.7:443 HTTP/1.1" 
mail.google.com - "GET /mail/?ui=2&ik=......"
dss1.siteadvisor.com - "GET /DSS/Query?version=2&client_ver=0.0.1.1&type=domain&name=google.nl HTTP/1.1"
rad.msn.com - "GET /ADSAdClient31.dll?GetS...."

There are also a number of hits to what should be BitTorrent trackers for various things.

This led me to ponder if there's some DNS changing evilware involved, and that for whatever reason certain traffic and only certain traffic would be dumped tho addresses in this range.  Not all http traffic for customers affected is going there, only some things.

So far a number of customers contacted all have the same DSL modem (Speedtouch), but that may not mean anything.

So, if you're bored, and have data for that /15, and have some insight into what might be going on, I'd like to hear!

Just a puzzle for a Friday afternoon,

Scott A. McIntyre
XS4ALL Internet B.V.