topic Re: Lots of Traffic to 4 IP Addresses in General Topics

Lots of Traffic to 4 IP Addresses

Terri_Hawkins — Thu, 14 May 2020 12:09:09 GMT

I am curious as to whether anyone else is seeing a great deal of traffic to 4 ip addresses....

104.244.xx.20 with the xx being either 36, 37, 38 or 39

We have ~3000 pc's on our network and I am seeing ~100 logs in an hour for each one. (first thing this morning I had 24,431 logs, not everyone is in yet)

I have googled these addresses and some sites say it is malware, some say it is good, but I can't find a reliable source to let me know what it is. The site name is <daldt or amidt> .adsafeprotected.com. When I go to their www site it does not look malicious (but I know that is not an indicator that the site is ok). I have all the traffic blocked right now and nothing is breaking. The traffic is coming from all the PC's on our network, including mine, and it must be behind the scenes stuff because I am not going there intentionally.

We have recently switched to Chrome as our default browser, but I can't find anything associating the IP's with Chrome either.

Any assistance is appreciated,

thanks

terri

Re: Lots of Traffic to 4 IP Addresses

Timothy_Hall — Thu, 14 May 2020 12:35:04 GMT

ARIN.net says it is "Integral Ad Science" (integralads.com) whose website seems pretty vague about about what they actually do, so I'm assuming they are tracking user data and shoveling ads. In my opinion, block 'em.

Network: NET-104-244-36-0-1

Source Registry: ARIN

Net Range

104.244.36.0 - 104.244.39.255

CIDR

104.244.36.0/22

Source Registry: ARIN

Kind: Org
Full Name: Integral Ad Science, Inc.
Handle: ASML-5

Email: network@integralads.com
Address: 95 Morton St 8th Floor New York NY 10014 United States
Roles: Registrant

Registration: Thu, 02 Aug 2012 13:38:40 GMT (Thu Aug 02 2012 local time)
Last Changed: Wed, 22 Jun 2016 14:14:23 GMT (Wed Jun 22 2016 local time)

Re: Lots of Traffic to 4 IP Addresses

MartinZ — Thu, 14 May 2020 13:22:09 GMT

Agree on the blocking. Those IP's go back to adsafeprotected which is associated with both adware and malware.

You can see the relationships to a lot of Android and other exe files here: https://www.virustotal.com/graph/http%253A%252F%252Fdaldt.adsafeprotected.com%252F

Apparently there was a binary PUP with the same name (ADSAFEPROTECTED) at one point, so check for that. It could be they have moved to pure hosted. I would give them the benefit of the doubt that maybe they are protecting ads, but as @Timothy_Hall points out their "website seems pretty vague" and that is a lot of traffic.

https://greatis.com/blog/howto/remove-adsafeprotected-forever.htm

Re: Lots of Traffic to 4 IP Addresses

Timothy_Hall — Thu, 14 May 2020 14:34:25 GMT

Great analysis, given that extra info I'd say block the whole 104.244.36.0/22 netblock outright, not just the .20 host addresses as I'm sure they will shift host addresses around inside their netblock at some point to avoid existing blocks.

Re: Lots of Traffic to 4 IP Addresses

Wolfgang — Thu, 14 May 2020 15:41:39 GMT

from Check Point categorization:

As all other guys recommend, block them.

Wolfgang

Re: Lots of Traffic to 4 IP Addresses

Terri_Hawkins — Thu, 14 May 2020 15:48:30 GMT

Thank you all for your input! I will block the traffic.