This is a periodic public report from the ISOTF's affiliated group 'DA'
(Drone Armies (botnets) research and mitigation mailing list / TISF
DA) with the ISOTF affiliated ASreport project (TISF / RatOut).
For this report it should be noted that we base our analysis on the data
we have accumulated from various sources, which may be incomplete.
Any responsible party that wishes to receive reports of botnet command
and control servers on their network(s) regularly and directly, feel
free to contact us.
For purposes of this report we use the following terms
open the host completed the TCP handshake
closed No activity detected
reset issued a RST
This month's survey is of 5387 unique, domains (or IPs) with
port suspect C&Cs. This list is extracted from the BBL which
has a historical base of 13113 reported C&Cs. Of the suspect C&Cs
surveyed, 872 reported as Open, 1841 reported as closed,
and 862 issued resets to the survey instrument. Of the C&Cs
listed by domain name in the our C&C database, 4943 are mitigated.
Top 20 ASNes by Total suspect domains mapping to a host in the ASN.
These numbers are determined by counting the number of domains which
resolve to a host in the ASN. We do not remove duplicates and some of
the ASNs reported have many domains mapping to a single IP. Note the
Percent_resolved figure is calculated using only the Total and Open
counts and does not represent a mitigation effectiveness metric.
Percent_
ASN Responsible Party Total Open Resolved
19318 NJIIX-AS-1 - NEW JERSEY INTERN 123 20 84
13301 UNITEDCOLO-AS Autonomous System of 115 41 64
4766 KIXS-AS-KR 65 22 66
30058 FDCSE FDCservers.net LLC 64 21 67
16265 LEASEWEB AS 58 40 31
23522 CIT-FOONET 49 29 41
174 Cogent Communications 40 30 25
12832 Lycos Europe 40 6 85
8560 SCHLUND-AS 37 18 51
15083 IIS-129 Infolink Information Servic 37 2 95
7132 SBC Internet Services 36 7 81
3269 TELECOM ITALIA 32 9 72
9318 HANARO-AS 31 6 81
33597 InfoRelay Online Systems, Inc. 29 0 100
25761 STAMIN-2 Staminus Communications 29 15 48
4134 CHINANET-BACKBONE 29 3 90
13749 EVRY Everyones Internet 28 2 93
8972 INTERGENIA-ASN intergenia autonomou 28 4 86
3786 ERX-DACOMNET 27 10 63
13213 UK2NET-AS UK-2 Ltd Autonomous Syste 26 3 88
Top 20 ASNes by number of active suspect C&Cs. These counts are
determined by the number of suspect domains or IPs located within
the ASN completed a connection request.
Percent_
ASN Responsible Party Total Open Resolved
13301 UNITEDCOLO-AS Autonomous System of 115 41 64
16265 LEASEWEB AS 58 40 31
174 Cogent Communications 40 30 25
23522 CIT-FOONET 49 29 41
30407 Velcom.com 25 24 4
4766 KIXS-AS-KR 65 22 66
30058 FDCSE FDCservers.net LLC 64 21 67
19318 NJIIX-AS-1 - NEW JERSEY INTERN 123 20 84
8560 SCHLUND-AS 37 18 51
19166 Alpha Red, INC 20 17 15
9121 TTNet 24 17 29
25761 STAMIN-2 Staminus Communications 29 15 48
3786 ERX-DACOMNET 27 10 63
3269 TELECOM ITALIA 32 9 72
28753 NETDIRECT AS NETDIRECT Frankfurt 16 9 44
7479 KDDHK-AS-AP KDD HONG KONG LIMITED 9 9 0
18942 WEBHO-3 WebHostPlus Inc 13 9 31
6140 ImpSat 9 8 11
7132 SBC Internet Services 36 7 81
9911 CONNECTPLUS-AP Singapore Telecom 9 7 22
Randal Vaughn Gadi Evron
Professor ge at linuxbox.org
Baylor University
Waco, TX
(254) 710 4756
randy_vaughn at baylor.edu