Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Contributor

Lots of Traffic to 4 IP Addresses

Jump to solution

I am curious as to whether anyone else is seeing a great deal of traffic to 4 ip addresses....

104.244.xx.20 with the xx being either 36, 37, 38 or 39

We have ~3000 pc's on our network and I am seeing ~100 logs in an hour for each one. (first thing this morning I had 24,431 logs, not everyone is in yet)

I have googled these addresses and some sites say it is malware, some say it is good, but I can't find a reliable source to let me know what it is. The site name is <daldt or amidt> .adsafeprotected.com. When I go to their www site it does not look malicious (but I know that is not an indicator that the site is ok). I have all the traffic blocked right now and nothing is breaking. The traffic is coming from all the PC's on our network, including mine, and it must be behind the scenes stuff because I am not going there intentionally.

We have recently switched to Chrome as our default browser, but I can't find anything associating the IP's with Chrome either.

Any assistance is appreciated,

thanks

terri

 

0 Kudos
Reply
2 Solutions

Accepted Solutions
Highlighted
Champion
Champion

ARIN.net says it is "Integral Ad Science" (integralads.com) whose website seems pretty vague about about what they actually do, so I'm assuming they are tracking user data and shoveling ads.  In my opinion, block 'em.

Network: NET-104-244-36-0-1

Source Registry
ARIN
Net Range
104.244.36.0 - 104.244.39.255
CIDR
104.244.36.0/22
Source Registry
ARIN
Kind
Org
Full Name
Integral Ad Science, Inc.
Handle
ASML-5
Email
network@integralads.com
Address
95 Morton St 8th Floor New York NY 10014 United States
Roles
Registrant
Registration
Thu, 02 Aug 2012 13:38:40 GMT (Thu Aug 02 2012 local time)
Last Changed
Wed, 22 Jun 2016 14:14:23 GMT (Wed Jun 22 2016 local time)
Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com

View solution in original post

Highlighted
Champion
Champion

Great analysis, given that extra info I'd say block the whole 104.244.36.0/22 netblock outright, not just the .20 host addresses as I'm sure they will shift host addresses around inside their netblock at some point to avoid existing blocks.

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com

View solution in original post

5 Replies
Highlighted
Champion
Champion

ARIN.net says it is "Integral Ad Science" (integralads.com) whose website seems pretty vague about about what they actually do, so I'm assuming they are tracking user data and shoveling ads.  In my opinion, block 'em.

Network: NET-104-244-36-0-1

Source Registry
ARIN
Net Range
104.244.36.0 - 104.244.39.255
CIDR
104.244.36.0/22
Source Registry
ARIN
Kind
Org
Full Name
Integral Ad Science, Inc.
Handle
ASML-5
Email
network@integralads.com
Address
95 Morton St 8th Floor New York NY 10014 United States
Roles
Registrant
Registration
Thu, 02 Aug 2012 13:38:40 GMT (Thu Aug 02 2012 local time)
Last Changed
Wed, 22 Jun 2016 14:14:23 GMT (Wed Jun 22 2016 local time)
Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com

View solution in original post

Highlighted
Participant

Agree on the blocking. Those IP's go back to adsafeprotected which is associated with both adware and malware. 

2020-05-14_9-02-24.jpg

You can see the relationships to a lot of Android and other exe files here: https://www.virustotal.com/graph/http%253A%252F%252Fdaldt.adsafeprotected.com%252F

2020-05-14_9-14-05.jpg

Apparently there was a binary PUP with the same name (ADSAFEPROTECTED) at one point, so check for that. It could be they have moved to pure hosted. I would give them the benefit of the doubt that maybe they are protecting ads, but as @Timothy_Hall  points out their "website seems pretty vague" and that is a lot of traffic.

https://greatis.com/blog/howto/remove-adsafeprotected-forever.htm

Highlighted
Champion
Champion

Great analysis, given that extra info I'd say block the whole 104.244.36.0/22 netblock outright, not just the .20 host addresses as I'm sure they will shift host addresses around inside their netblock at some point to avoid existing blocks.

Gaia 3.10 Immersion Self-paced Video Series
now available at http://www.maxpowerfirewalls.com

View solution in original post

Highlighted
Leader
Leader
 

from Check Point categorization:

Bildschirmfoto 2020-05-14 um 17.38.50.png

 

 

 

 

 

As all other guys recommend, block them.

Wolfgang

Highlighted
Contributor

Thank you all for your input! I will block the traffic.

0 Kudos
Reply