DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Christmas Day 2025: 1,512 Blocks, 380 False Positives, and an Alibaba Proxy Botnet

Patrick Duggan
Dec 25, 2025
3 min read

# Christmas Day 2025: 1,512 Blocks, 380 False Positives, and an Alibaba Proxy Botnet

**Author:** Patrick Duggan

**Classification:** TLP:WHITE

**Category:** security

The Question

"How many IPs did we block in the last 24 hours?"

Simple question. Took us until Christmas Day 2025 to build the endpoint that answers it.

**Answer: 1,512 IPs blocked in 24 hours.**

But that number is a lie. Here's why.

The Spike

When we graphed the blocks by hour, one bar dominated the chart:

| Hour (UTC) | Blocks |

|------------|--------|

| 12:00 | 1,418 |

| 18:00 | 46 |

| 03:00 | 17 |

| All others | 31 |

**94% of blocks happened in a single hour.** And when we zoomed in:

| Minute | Blocks |

|--------|--------|

| 12:36 | 454 |

| 12:37 | 952 |

**1,406 blocks in 2 minutes.** That's either a coordinated attack or something weird.

The Weird Part

We pulled the top attacking subnets:

| Subnet | IPs Blocked | Owner |

|--------|-------------|-------|

| 198.235.24.x | 91 | Palo Alto Networks |

| 205.210.31.x | 90 | Palo Alto Networks |

| 147.185.132.x | 49 | Palo Alto Networks |

| 47.79.20x.x | 150+ | Alibaba Cloud |

| 40.77.167.x | 55 | Microsoft |

| 52.167.144.x | 55 | Microsoft |

**Palo Alto Networks and Microsoft aren't attackers. They're security vendors.**

The Math

- **1,512** total blocks

- **380** were security vendor scanners (false positives)

- **1,132** were real attacks

Our automated blocking was flagging legitimate security research as malicious. That's a 25% false positive rate on our headline number.

The Real Attackers

Filtering out the security vendors, the actual attack pattern emerges:

Alibaba Cloud Proxy Botnet (180 IPs)

This is a proxy botnet operating out of Alibaba Cloud. They're selling residential proxy access through compromised or rented cloud instances. The password spraying suggests they're also harvesting credentials.

**Subnets involved:**

- 47.79.201.x

- 47.79.202.x

- 47.79.203.x

- 47.79.216.x

- 47.79.217.x

- 47.79.218.x

- 47.82.11.x

ChinaNet Shanghai (36 IPs)

State-adjacent infrastructure doing reconnaissance. Standard Tuesday for ChinaNet.

Bulletproof Hosting (17 IPs)

Classic bulletproof hosting. The netname "rented" tells you everything - anonymous VPS rentals for attack staging.

The Fix

We're whitelisting security vendor scanner ranges:

- Palo Alto Networks: 198.235.24.0/24, 205.210.31.0/24, 147.185.132.0/24

- Microsoft Defender: 40.77.0.0/16, 52.167.0.0/16, 157.55.0.0/16, 207.46.0.0/16

These are security researchers, not threats. Blocking them:

1. Inflates our block counts with false positives

2. Might interfere with legitimate security scanning

3. Makes our data dirtier

The Lesson

**Your block count is not your threat count.**

When someone asks "how many attacks did you stop?" the honest answer requires:

1. Subtracting security vendor scanners

2. Subtracting your own infrastructure

3. Subtracting research crawlers

4. Subtracting misconfigured legitimate services

What's left is the real attack surface.

For Christmas Day 2025:

- **Claimed: 1,512 blocks**

- **Actual: 1,132 attacks**

- **False positive rate: 25%**

We'll take the L on the inflated number. The truth is more useful than the flex.

The Alibaba Problem

180 proxy botnet IPs from a single cloud provider in a single day. Alibaba Cloud either:

1. Has weak abuse detection

2. Has permissive terms of service

3. Doesn't care

For reference, DigitalOcean nuked the Aisuru C2s within hours of our Christmas Eve report. Alibaba's proxy botnet has been running for months.

Different providers, different standards.

Get The Data

**Block History API:**

**STIX Feed (real IOCs, not scanner noise):**

**TAXII 2.1 (new today):**

The Bottom Line

Christmas Day 2025:

- Built the "blocks per time period" endpoint we should have had months ago

- Discovered 25% of our blocks are security vendor false positives

- Found an Alibaba Cloud proxy botnet (180 IPs, still active)

- Shipped TAXII 2.1 compliance

Not bad for a holiday.

*DugganUSA LLC - Minnesota*

*"Your block count is not your threat count."*

#threatintel #falsepositive #alibaba #proxybot #christmas2025 #honesty