Page 15 - index
P. 15
Figure Four (4): Destination Port Activity Timeline, August - September 2014.
In one of the subsequent online conversations regarding our early analysis, one security
professional expressed concern regarding all traffic from this ISP, and considering CHINANET
is the sole ISP for the entire country, it makes any subjective analysis quite problematic.
DarkWolf Labs found that limiting the analysis to the specific Autonomous System (AS) Number
4134 proved quite interesting, with 2,981,300 events observed from over 213,500 different IP
addresses in just six months. Note that AS 4134 is not limited to Hunan Telecom or the Hunan
providence, as there are hundreds of organizations and subsidiary ISPs of CHINANET using
this AS Number for routing.
For comparison, Figure Five (5) breaks down the top twenty organizations for observed activity
between January and August, 2014, for AS 4134. The CHINANET HUNAN PROVINCE
NETWORK was clear down at number 11 in the rankings, with other providences surpassing its
suspect activity:
Figure Five (5): Top Twenty (20) Organizations For Observed Activity, January - August 2014.
In an effort to better understand the activity from Hunan province, Figure Six (6) plots out the
locations and amount of activity detected for the province. Note the overwhelming amount of
activity from around Changsha (28°10'44.4"N 113° 06'50.4"E), far surpassing any of the other
observed activity for this region.
This reveals geolocation coordinates similar to those derived from the Regional Internet
Registry (RIR) information for the IP address in question (218.77.79.43), and they are located
either in or very near what appears to be a major waterway, the Liuyang River:
I25B /1B>9>7C &171J9>5 M +5@D5=25B 49D9?>
?@IB978D K I25B 565>C5 &171J9>5 << B978DC B5C5BF54 G?B<4G945
