Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1106
Views
0
Helpful
4
Replies

Botnet traffic filtering IP address 216.246.75.177 port 80

go.michael
Level 1
Level 1

‎08-10-2011 02:08 PM - edited ‎03-11-2019 02:10 PM

Hello,

   I recently installed Botnet traffic filtering on my Cisco ASA FW.  Now I get logs that multiple host are trying to access 216.246.75.177 port 80.  Botnet filter categorizes this as Hight/Malware and drops the traffic.  I googled the IP address and I didnt see any known threats from that IP.  Does someone know anything about this IP address.

Thanks,

Mike

Labels:
0 Helpful
4 Replies 4

manish arora
Level 6
Level 6

‎08-10-2011 04:32 PM

This IP Address belongs to one of the Major CDN , its generally used my many Websites to deliver faster Videos on their web sites or even streams etc.

Don't know much about Botnet , but if this keeps getting denied then you will have ppl coming to you saying that sections of some web sites are not showing up , even web sites like wellfargo bank uses akmai CDN services.

Manish

0 Helpful

raga.fusionet
Level 4
Level 4
In response to manish arora

‎08-10-2011 09:09 PM

Mike, If google for that IP you would see a number of reports from malcode database making reference to it:

http://malc0de.com/database/index.php?search=216.246.75.177&IP=on

Also, I went to that IP address on port 80 with my browser (NoScript enabled to avoid getting infected myself) and I didnt get anything. No website or anything. This is suspicious.

This IP is not registered on WHOIS which makes it even more suspicious.  I would let the ASA drop the traffic and check those PCs' connections to port 80 with all browsers closed and and using something like netstat or TCPView. If you see any activity going on then the PCs are likely to be infected. 

Botnets are hardly detected by regular AV engines so you might even need to reimage the PCs.

I hope this helps.

0 Helpful

manish arora
Level 6
Level 6
In response to raga.fusionet

‎08-11-2011 08:36 AM

Luis,

I don't know what WHOIS you are checking but here's the link on ARIN :-

http://whois.arin.net/rest/net/NET-216-246-75-0-1/pft

As you can see the IP belongs to Akamai Technologies , one of the best CDN in the market as I have used this company's services at times.

Manish

0 Helpful

raga.fusionet
Level 4
Level 4
In response to manish arora

‎08-11-2011 08:46 AM

Hey thats weird ...I did it a couple of times from my linux desktop. If its indeed akamai, then its probably something like software updates.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card