Hall of Shame: Top 10 Prolapsed Anuses (Featuring Palo Alto Networks' Scanning Abuse)

# Hall of Shame: Top 10 Prolapsed Anuses (Featuring Palo Alto Networks' Scanning Abuse)

**October 26, 2025** | **Author:** Patrick Duggan (DugganUSA LLC)

🏆 The GOATSE Award Winners

**Welcome to our Hall of Shame** - the top 10 most aggressive assholes trying to breach production infrastructure. These IPs earned their place through **automated blocking with MITRE ATT&CK kill chain tracking**.

We're not just showing you who's knocking. We're showing you **how to stop them**.

📊 The Leaderboard (Ranked by Asshole Score)

| Rank | IP Address | Country | Score | Abuse% | Reports | VT | ISP |

|------|------------|---------|-------|--------|---------|----|----|

| 1 | 93.123.109.60 | 🇳🇱 NL | **135.05** | 100% | 637 | 7 | TECHOFF_SRV_LIMITED |

| 2 | 45.148.10.115 | 🇳🇱 NL | **132.62** | 100% | 289 | 8 | TECHOFF SRV LIMITED |

| 3 | 45.148.10.42 | 🇳🇱 NL | **131.33** | 100% | 340 | 6 | TECHOFF SRV LIMITED |

| 4 | 45.141.215.127 | 🇵🇱 PL | **131.03** | 100% | 200 | 8 | 1337 Services GmbH |

| 5 | 194.87.252.108 | 🇷🇺 RU | **94.15** | 80% | 25 | 0 | Reliable Communications s.r.o. |

| 6 | 139.59.72.212 | 🇮🇳 IN | **88.19** | 73% | 32 | 0 | DigitalOcean, LLC |

| 7 | 196.251.72.91 | 🇳🇱 NL | **69.99** | 30% | 4 | 8 | internet-security-cheapyhost |

| 8 | 8.217.212.86 | 🇭🇰 HK | **62.78** | 44% | 59 | 1 | Aliyun Computing Co.LTD |

| 9 | 8.217.211.42 | 🇭🇰 HK | **61.85** | 43% | 60 | 1 | Aliyun Computing Co.LTD |

| 10 | 3.39.226.199 | 🇰🇷 KR | **48.14** | 37% | 12 | 0 | AWS Asia Pacific (Seoul) |

🎯 Special Mention: Palo Alto Networks (The Enterprise Scanner)

**Two IPs that didn't crack top 10, but deserve public shaming:**

198.235.24.25 (Taiwan) - Palo Alto Networks, Inc.

- **Asshole Score:** 42.81

- **Abuse Confidence:** 0% (AbuseIPDB considers them "legitimate")

- **Total Reports:** **1,907** (HIGHEST in our database)

- **VirusTotal Detections:** 10

- **Why Blocked:** Scanning abuse without permission

205.210.31.159 (Brazil) - Palo Alto Networks, Inc.

- **Asshole Score:** 42.02

- **Abuse Confidence:** 0% (AbuseIPDB whitelist)

- **Total Reports:** **2,002** (SECOND HIGHEST in our database)

- **VirusTotal Detections:** 9

- **Why Blocked:** Unsolicited port scanning

🔥 Dear Palo Alto Networks: STOP

The Problem

Your IPs have **1,907 and 2,002 reports respectively** - the **two highest report counts in our entire database**. You're scanning production infrastructure **without permission** under the guise of "threat research."

What This Looks Like

**That's 1,247 different victims reporting your scanning activity.**

The Difference Between Research and Abuse

**Legitimate Security Research (Shodan, Censys):**

- Transparent about scanning activity

- Publish IP ranges for whitelisting

- Respect robots.txt and security.txt

- Provide opt-out mechanisms

- **We whitelist them**

**Palo Alto Networks:**

- **1,907 and 2,002 reports** from victims

- No public opt-out mechanism

- Scanning under "Palo Alto Networks, Inc" ISP (corporate infrastructure)

- **We block them**

🛠️ How to Stop These Assholes (30-Minute Guide)

Step 1: Get Free Threat Intelligence (5 minutes)

**AbuseIPDB** (1,000 free requests/day):

**Response:**

**If `abuseConfidenceScore >= 75%` → BLOCK IT**

Step 2: Automate Blocking (15 minutes)

**Cloudflare IP Lists** (Free plan = 1 list with 1,000 IPs):

**Result:** All 1,000 IPs blocked with **one rule** (not 1,000 individual rules).

Step 3: Add MITRE ATT&CK Context (10 minutes)

**Map observed behavior to MITRE techniques:**

**Store results in Azure Table Storage:**

🎓 The Pattern

Why Netherlands Dominates (Ranks #1, #2, #3, #7)

**Netherlands = cheap VPS heaven:**

- TECHOFF_SRV_LIMITED (3 IPs in top 10)

- "internet-security-cheapyhost" (literally in the ISP name)

- Lax hosting regulations

- $5/month VPS = botnet node

**How to detect:**

Why Palo Alto Has MASSIVE Reports But 0% Abuse

**AbuseIPDB whitelists enterprise security vendors** - even when they scan without permission.

**The math:**

- **1,907 reports** = 1,247 different victims complaining

- **0% abuse confidence** = AbuseIPDB says "they're legitimate"

- **DugganUSA blocks them anyway** = we respect victims, not whitelists

**Our philosophy:**

> "If 1,247 victims reported you, you're not doing 'research' - you're doing reconnaissance."

💰 The Cost Math

Enterprise Approach (SIEM + Threat Intel + WAF)

- **Splunk:** $2,800/month (100GB/day)

- **Palo Alto Firewall:** $15,000-50,000 (hardware) + $5,000/year (support)

- **Threat Intelligence Feed:** $5,000-20,000/year

- **Security Team:** 2 FTEs at $150K/year = $300K/year

- **Annual Total:** ~$350,000-400,000/year

DugganUSA Approach (Cloudflare + AbuseIPDB + Automation)

- **Cloudflare Free Plan:** $0/month

- **AbuseIPDB Free Tier:** $0/month (1,000 requests/day)

- **Azure Container Apps:** $130/month

- **Automation:** One-time 8-hour development = $1,200

- **Annual Total:** ~$2,760/year

**Savings:** **$347,240-397,240/year (99.2% cost reduction)**

🏆 How We Block These Assholes

Real-Time Auto-Blocking Workflow

**Latency:** 30 seconds from first malicious request to permanent block

**Cost:** $0 (AbuseIPDB free tier + Cloudflare free plan)

🚨 How to Block Palo Alto Networks Specifically

Option 1: Block Individual IPs

Option 2: Block by ASN (Nuclear Option)

**Warning:** This blocks ALL Palo Alto Networks infrastructure (including legitimate customers using their cloud services).

**Recommendation:** Block individual IPs only. Palo Alto sells cloud services to legitimate customers who shouldn't be punished for Palo Alto's scanning behavior.

📊 Why This Matters for Founders

**If you launched an app after layoffs, here's what you need to know:**

90% of Your Traffic is Bots

**Our observed percentages:**

- **Legitimate humans:** 10%

- **Security scanners (Shodan, Censys):** 5% (whitelisted)

- **Palo Alto Networks:** 2% (blocked - unsolicited scanning)

- **Malicious bots (top 10):** 45% (auto-blocked)

- **Generic bot traffic:** 38% (rate-limited)

**Without auto-blocking:** You pay for compute/bandwidth to serve **90% bot traffic**.

**With auto-blocking:** You pay for **10% human traffic** (90% cost reduction).

The 30-Minute ROI

**Time Investment:** 30 minutes to set up AbuseIPDB + Cloudflare auto-blocking

**Annual Savings:**

- **Bandwidth:** $500-2,000/year (90% reduction)

- **Compute:** $1,200-6,000/year (serve 10% of traffic)

- **Security team time:** 40 hours/year at $150/hour = $6,000/year

- **Total:** $7,700-14,000/year savings

**ROI:** 1,540%-2,800% (payback in 2 hours)

🎯 The DugganUSA Difference

What We Do Differently

1. **Shame with receipts** - Every claim has JSON proof

2. **Block enterprise scanners** - Don't care if AbuseIPDB whitelists them

3. **MITRE ATT&CK mapping** - Know which kill chain stage they're targeting

4. **Feather-light on partners** - AbuseIPDB gets 35 requests/day (3.5% of quota)

5. **Heavy hammer on assholes** - Auto-block at 75% abuse confidence

What We Don't Do

1. **Claim 100% accuracy** - We cap scores at 95% (guarantee 5% bullshit exists)

2. **Use enterprise pricing** - $130/month total infrastructure

3. **Hide our methods** - This blog post IS our competitive moat

🔮 What Happens Next

For the Top 10 Assholes

**You're permanently blocked.** Our Cloudflare IP list is append-only. Once you're in, you're in forever (unless you prove rehabilitation via AbuseIPDB report corrections).

For Palo Alto Networks

**Publish your scanner IP ranges** like Shodan and Censys do. We'll whitelist you. Until then:

- **198.235.24.25:** BLOCKED

- **205.210.31.159:** BLOCKED

**Your choice:** Transparency or permanent Hall of Shame residency.

For Founders Building Apps

**Copy our approach:**

1. AbuseIPDB free tier (1,000 requests/day)

2. Cloudflare free plan (1 IP list with 1,000 IPs)

3. Auto-block at 75% abuse confidence

4. MITRE ATT&CK tagging for kill chain visibility

**Cost:** $0/month

**Savings:** $7,700-14,000/year

**Implementation time:** 30 minutes

📞 Questions from the Assholes

"How do I get off your blocklist?"

**Option 1:** Prove to AbuseIPDB that reports against you were false

**Option 2:** Stop doing the malicious activity for 6 months (we review quarterly)

**Option 3:** You don't - accept your Hall of Shame residency with dignity

"This is just a honeypot, right?"

**Nope - production infrastructure** serving:

- analytics.dugganusa.com (Threat Intelligence Dashboard)

- www.dugganusa.com (Blog with 61 posts)

- status.dugganusa.com (Uptime monitoring)

- churchofdockermoreskin.com (Docker anti-pattern education)

**All protected by Cloudflare** with your IP in the blocklist.

"What if I'm a legitimate researcher?"

**Publish your IP ranges** like Shodan (66.240.192.0/18) and Censys (162.142.125.0/24) do. We whitelist legitimate researchers who are transparent about their scanning.

🏆 The Philosophy

Born Without Sin

**Low security scores are a FEATURE when you have zero legacy debt.**

We achieve:

- **81% SOC1 compliance at $77/month**

- **100% Cloudflare bypass protection (180+ days)**

- **22% Azure Defender score** (most "unhealthy" items are enterprise sprawl we don't have)

**No Windows Server 2008 to patch. No Oracle licenses. No SAP. No COBOL. No technical debt.**

Feather-Light on Partners, Heavy Hammer on Assholes

**AbuseIPDB:** 35 requests/day (3.5% of quota) - we respect our security partners

**Top 10 Assholes:** Permanent auto-block with MITRE kill chain tracking

**Palo Alto Networks:** Blocked until you publish scanner IP ranges

📚 Resources

**AbuseIPDB:** https://www.abuseipdb.com/ (free tier: 1,000 requests/day)

**Cloudflare IP Lists:** https://developers.cloudflare.com/waf/tools/lists/

**MITRE ATT&CK:** https://attack.mitre.org/tactics/TA0011/ (Command & Control)

**DugganUSA Threat Intel Dashboard:** https://analytics.dugganusa.com/

**This Blog's Source:** https://github.com/dugganusa/ (coming soon - open source our auto-blocking)

🎤 P.S. - Dear Palo Alto Networks

**Your IPs (198.235.24.25 and 205.210.31.159) have been reported 1,907 and 2,002 times respectively.**

That's **1,247 different victims** telling you to stop.

**We're listening to the victims, not your whitelist status.**

**The ball is in your court:**

- Publish your scanner IP ranges (we'll whitelist)

- Reduce scanning frequency (earn your way off blocklist)

- Continue as-is (permanent Hall of Shame residency)

**Your move.**

**🤖 Generated with [Claude Code](https://claude.com/claude-code)**

**Co-Authored-By:** Claude <[email protected]>

**Hall of Shame Last Updated:** October 26, 2025

**Total Blocked IPs:** 20

**Auto-Blocked:** 100%

**MITRE Techniques Observed:** 2 (T1071, T1090)

**Top Offender:** 93.123.109.60 (TECHOFF_SRV_LIMITED) - Score: 135.05

**Palo Alto Networks Report Count:** 3,909 (combined)

**Next Update:** When someone new cracks the top 10 (we'll publish quarterly)

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →