The Shadow Server Foundation constantly trying to get access to mDNSResponder

Question

Update September 2018: The events described below still happen to this day though less often from servers of The Shadow Server Foundation. By now I have denied access to most of their IP addresses, but I get a lot more connection attempts from other services like Leaseweb and whatnot. However, it still puzzles me as to why they want to connect. AFAIK via Bonjour mDNSResponder advertises network services (such as AFP file sharing) provided by my computer, as well as my self-chosen ".local" name.

In principle, I deny any connection to outside servers that are not Apple's.

Any further insights would be highly appreciated.

---

Recently I'm seeing access attempts by servers belonging to The Shadow Server Foundation to mDNSResponder (via Little Snitch actually). I got access attempts from 184.105.247.199, 184.105.247.227 and 184.105.247.207. While their mission might sound laudable,

Established in 2004, The Shadowserver Foundation gathers intelligence on the darker side of the internet. We are comprised of volunteer security professionals from around the world. Our mission is to understand and help put a stop to high stakes cybercrime in the information age.

I don't appreciate these attempts, so I block them (thanks, Little Snitch!).

My network configuration looks like this:

In an attempt to block all of their IP ranges, I came across this web page on myip.ms, which lists these domain names under "Websites hosted by The Shadow Server Foundation". Among them a few dubious sounding domain names:

1. malwr.com
2. tvbsp.com
3. foottraffix.com
4. bilescotrej.com
5. make-cash-at-home.com
6. profit-case.com
7. alfa-cash.com
8. milerteddy.com
9. sexy-ladies-wantmeet.com
10. ladies-with-big-tits.com

Without having visited any of these, I'm wondering if anyone knows anything about these sites. Why is The Shadow Server Foundation trying to get access to my Mac?

Answer 1

Assumption

Those websites are (for the most of them) well known honeypots. They are designed to do lots of things, including luring bots into their networks.

I dont think the shadow server foundation scan random IP for information gathering. If you ended up in their list, there is some probability that your global IP have misbehaved, or did something suspicious.

Answer

Your global IP is not your mac, it's the WAN gateway of your router. With the info you gave, we just know that one or multiple device(s) inside your LAN might have somehow misbehaved. It can be anything with a private IP address obtained via your ISP's router:

• Phone
• Game console
• Computer
• TV
• Connected refrigerator
• tablet
• IP Camera
• And a lot more.

If compromised device(s) there is, you have to find it. You don't want to be part of a botnet.

A second assumption could be that someone hijacked your wifi and did some nasty things. A third assumption could be that your ISP is misbehaving, if it's the case you can do nothing about it, so lets stick to those two possibilities:

• One or multiple connected devices you own are misbehaving.

• You got your WLAN breached.

I will try to guide you on how to perform some further investigations.

Going deeper

• Breached WLAN ?

Goal: Find a connected device on your WLAN you do not own.

How to: From your router, monitor IP Leases / MAC address for at least one week. Check the past IP leases logs.

• Compromised devices ?

Goal: Find unexpected behaviors from the connected devices you own.(C&C server connection, weird port/socket/protocol utilisation, shadow server foundation IP / Domain outgoing connections)

How to: Capture all your router outgoing packets for at least 24 hours, analyse and filter the .pcap with wireshark or your favorite packets analyzer tool.

Good luck.