Dynamic Filter Alerts - 65.55.239.168

j.drosyk_2 · ‎04-14-2011

We run a pair of ASA's with a Botnet license. Recently (like this week) I have been noticing an increase of dynamic filter alerts for IP 65.55.239.168. This is a registered Microsoft IP, which makes me suspect that someone is running possibly a DNS redirect/spoofing attack. As usual, when I notice an IP that is triggering many dynamic filter alerts, I first go to senderbase.org and check the IP posture and reputation. This IP comes back clean, even though in the logs it has it categorized as Malware with a very-high threat level. I ran a packet capture on the ASA and it appears that the destination port is TCP 80. Nothing out of the ordinary in the capture except for do not frag set to on.

I then started trying to research this IP on the security forums, SANS Storm, etc but have found nothing.

Wanted to post here to see if anyone else running Botnet services has seen increase blocks for IP 65.55.239.168 and was able to track down why this is occurring.

Any information relating to this issue would be appreciated.

Thanks

brquinn · ‎04-14-2011

I tested it in my lab and saw that my db is filtering 65.55.239.168 as well. It looks like a false positive since its definitely a Microsoft owned IP address and none of the reputation sites are showing alerts. I'll report it and see what happens.

You should investigate the traffic to see if its some sort of Microsoft update traffic. If it's causing issues in your network, you can always add a whitelist entry.

Thanks,

Brendan

j.drosyk_2 · ‎04-14-2011

Thanks Brendan. I am interested in how they respond.

As a side note, what is the best way for me to submit request for IP reputation validation? I have tried in the past to directly contact senderbase support. Once they figured out I was running this service on an ASA, they told me to contact TAC.

Thanks

grahamt · ‎04-14-2011

I have noticed this today as well. We're very happy with the botnet filtering so far, with no complaints from our customers, but issues like this one are why I wish we could find out _why_ they had decided to blacklist an IP or domain.

brquinn · ‎04-14-2011

Good to know the issue wasn't with only one customer!

The entry was determined to be a false positive and it should be removed in the next update. Currently the proper reporting mechanism for reporting false positives is to go through TAC. At this time we do not have a simpler false-positive reporting mechanism in place.

Thanks,

Brendan

j.drosyk_2 · ‎04-15-2011

Brendan,

Thank you for your help to this point. I have verified that my senderbase database is up to date. It has downloaded several times since your last point. Yet I continue to see dynamic filter blocks for this specific IP. I am hesitant to add it as a whitelist IP. I tend to yeild on the side of security. Let me know if reclassification of the IP should have populated down to the database by now.

Thanks

brquinn · ‎04-15-2011

Can you check again? I just checked my lab and its gone.

brquinn-asa# dynamic-filter database find 65.55.239.168
Found 0 matches
brquinn-asa#
brquinn-asa# sh dynamic-filter data
Dynamic Filter is using downloaded database version '1302874021'
Fetched at 10:01:16 EDT Apr 15 2011, size: 2097147
...

Thanks,

Brendan

grahamt · ‎04-15-2011

It was still in the database about an hour ago, but it looks like it finally dropped out with the most recent update.

#dynamic-filter database find 65.55.239.168
65.55.239.168 m=44098
Found 1 matches

# dynamic-filter database find 65.55.239.168
Found 0 matches

I have whitelisted that particular range from Microsoft just in case.

j.drosyk_2 · ‎04-15-2011

When I checked last, it was out. Then when I got back from lunch, our SIEM product has sent me an email alert of more blocked activity from that IP. Most recent search for the IP as of 1:07 pm central:

# dynamic-filter database find 65.55.239.168
65.55.239.168 m=44098
Found 1 matches