This is a periodic public report from the ISOTF's affiliated group 'DA'
(Drone Armies (botnets) research and mitigation mailing list / TISF
DA) with the ISOTF affiliated ASreport project (TISF / RatOut).
For this report it should be noted that we base our analysis on the data
we have accumulated from various sources, which may be incomplete.
Any responsible party that wishes to receive reports of botnet command
and control servers on their network(s) regularly and directly, feel
free to contact us.
For purposes of this report we use the following terms
open the host completed the TCP handshake
closed No activity detected
reset issued a RST
This month's survey is of 5188 unique, domains (or IPs) with
port suspect C&Cs. This list is extracted from the BBL which
has a historical base of 16080 reported C&Cs. Of the suspect C&Cs
surveyed, 774 reported as Open, 1577 reported as closed,
and 801 issued resets to the survey instrument. Of the C&Cs
listed by domain name in the our C&C database, 7799 are mitigated.
Top 20 ASNes by Total suspect domains mapping to a host in the ASN.
These numbers are determined by counting the number of domains which
resolve to a host in the ASN. We do not remove duplicates and some of
the ASNs reported have many domains mapping to a single IP. Note the
Percent_resolved figure is calculated using only the Total and Open
counts and does not represent a mitigation effectiveness metric.
Percent_
ASN Responsible Party Total Open Resolved
19318 NJIIX-AS-1 - NEW JERSEY INTERN 134 14 90
13301 UNITEDCOLO-AS Autonomous System of 86 24 72
23522 CIT-FOONET 69 44 36
4766 KIXS-AS-KR 60 15 75
30058 FDCSE FDCservers.net LLC 47 11 77
7132 SBC Internet Services 45 9 80
174 Cogent Communications 45 41 9
8560 SCHLUND-AS 41 8 80
13213 UK2NET-AS UK-2 Ltd Autonomous Syste 40 2 95
25761 STAMIN-2 Staminus Communications 38 23 39
14779 INKT Inktomi Corporation 36 0 100
14780 INKT Inktomi Corporation 35 0 100
9318 HANARO-AS 34 4 88
3561 Savvis 32 6 81
33597 InfoRelay Online Systems, Inc. 31 0 100
24989 IXEUROPE-DE-FRANKFURT-ASN IX Europe 30 11 63
12832 Lycos Europe 29 4 86
4134 CHINANET-BACKBONE 29 8 72
25973 Mzima Networks, Inc. 28 27 4
24611 AS24611 Datacenter Luxembourg S.A. 26 0 100
Top 20 ASNes by number of active suspect C&Cs. These counts are
determined by the number of suspect domains or IPs located within
the ASN completed a connection request.
Percent_
ASN Responsible Party Total Open Resolved
23522 CIT-FOONET 69 44 36
174 Cogent Communications 45 41 9
25973 Mzima Networks, Inc. 28 27 4
13301 UNITEDCOLO-AS Autonomous System of 86 24 72
25761 STAMIN-2 Staminus Communications 38 23 39
30506 Blacksun Technologies 18 18 0
4766 KIXS-AS-KR 60 15 75
19318 NJIIX-AS-1 - NEW JERSEY INTERN 134 14 90
30058 FDCSE FDCservers.net LLC 47 11 77
1257 TELE2 AB 18 11 39
24989 IXEUROPE-DE-FRANKFURT-ASN IX Europe 30 11 63
4837 CHINA169-Backbone 26 11 58
6140 ImpSat 11 10 9
29686 PROBENETWORKS-AS Probe Networks 10 10 0
29339 MBBG-AS Markus Bach Betriebs Gesell 10 10 0
7132 SBC Internet Services 45 9 80
15083 IIS-129 Infolink Information Servic 21 9 57
8560 SCHLUND-AS 41 8 80
3786 ERX-DACOMNET 26 8 69
4134 CHINANET-BACKBONE 29 8 72
A version of this report with addition rankings can be found
via the isotf.org home page.
Randal Vaughn Gadi Evron
Professor ge at linuxbox.org
Baylor University
Waco, TX
(254) 710 4756
randy_vaughn at baylor.edu