Our runner up title for most dropped packets is bestowed upon 63.251.252.12. So what nefarious activity have we seen? On the surface, the attacks appear fairly benign. However, the deeper we go down the rabbit hole, the more we discover!

So what ports are being attacked and how often? Port 35935 was the lowest and 65428 the highest. TCP was the only protocol used and no single port was attacked more than 18 times in the total 2,462 attacks (still in progress).

The quest gets more interesting when we look into the backstory of 63.251.252.12. A WHOIS query returns:

OrgName: Internap Network Services Corporation

OrgId: PNAP

Address: 250 Williams Street

Address: Suite E100

City: Atlanta

StateProv: GA

PostalCode: 30303

Country: US

RegDate: 1996-07-18

Updated: 2012-01-24

Ref: https://whois.arin.net/rest/org/PNAP

ARIN’s Abuse Contact page for Internap appears to be out of date by providing a disconnected phone number. I contacted ARIN regarding this and was notified by ARIN hostmaster Jonathan Roberts, “ARIN will attempt to find updated contact information for this record.”

According to Internap Network Services Corporation’s website they are the, “… leading technology provider of internet infrastructure through both Colocation Business and Enterprise Services (including network connectivity, IP, bandwidth, and Managed Hosting), and Cloud Services (including enterprise-grade AgileCLOUD 2.0, Bare-Metal Servers, and SMB iWeb platforms).”

Looking at the map provided on their website, they have a datacenter in Atlanta and presumably that is where 63.251.252.12 lives.

TraceRoute from Network-Tools.com to 63.251.252.12

Hop (ms) (ms) (ms) IP Address Host name

1 Timed out Timed out Timed out –

2 1 1 1 4.68.63.178 ntt-level3-200g.dallas1.level3.net

3 1 1 1 129.250.5.5 ae-0.r23.dllstx09.us.bb.gin.ntt.net

4 40 41 41 129.250.4.154 ae-8.r23.snjsca04.us.bb.gin.ntt.net

5 40 40 40 129.250.3.175 ae-45.r01.snjsca04.us.bb.gin.ntt.net

6 43 44 43 157.238.64.138 ae-0.internap.snjsca04.us.bb.gin.ntt.net

7 44 44 43 66.151.144.31 border5.pc1-bbnet1.sje011.pnap.net

8 48 48 49 75.98.84.242 inapvoxcust-3.border3.sje011.pnap.net

9 43 43 43 63.251.252.12 –

Trace complete

On the second-to-last hop “inapvoxcust” is noted in the hostname. This reveals further details about the owner of 63.251.252.12, a company named Voxel Dot Net. According to Bloomberg, “Voxel Dot Net, Inc. provides internet hosting services and infrastructure software. The Company offers cloud hosting, circuit testing, interconnection, server racks, firewall, backup, load balancing, power circuits, and recovery solutions” and is also based in Atlanta, GA. Visiting http://www.voxel.net in the browser simply redirects to www.internap.com – putting our investigation into a loop.

So let’s charge further down the rabbit hole and get to the good stuff! AbuseIPDB users report 42 attacks from 63.251.252.12, notably DoS attacks dating back to May 3, 2016. Cymon shows malware has been reported for 63.251.252.12 by malwr.com. It gets interesting when we look deeper into the associated domains reported by Cymon:

loadr.exelator.com

loadm.exelator.com

loadus.exelator.com

A Google search yields 5,000+ results for “loadr.exelator.com” and most signs point to a browser hijacker injected through “load.js”.

So who is behind exelator.com? Visiting http://www.exelator.com in the browser redirects to http://www.exelate.com and the truth is finally revealed.

Shockingly, it is The Nielsen Company (US), LLC. Or as they refer to it, “Nielsen Artificial Intelligence (AI)” and describe it as “Our marketing cloud gives you access to a universe of Nielsen audience data. We help you understand your customers at a level no one else can match. But it doesn’t stop there. Using built-in analytics and Nielsen Artificial Intelligence (AI), our cloud is constantly evaluating the success of your marketing and making adjustments in real-time. The result? Every step of your marketing process gets smarter and more effective.”