This is a periodic public report from the ISOTF's affiliated group 'DA'
(Drone Armies (botnets) research and mitigation mailing list / TISF
DA) with the ISOTF affiliated ASreport project (TISF / RatOut).
For this report it should be noted that we base our analysis on the data
we have accumulated from various sources, which may be incomplete.
Any responsible party that wishes to receive reports of botnet command
and control servers on their network(s) regularly and directly, feel
free to contact us.
For purposes of this report we use the following terms
open the host completed the TCP handshake
closed No activity detected
reset issued a RST
This month's survey is of 4330 unique, domains (or IPs) with
port suspect C&Cs. This list is extracted from the BBL which
has a historical base of 11766 reported C&Cs. Of the suspect C&Cs
surveyed, 640 reported as Open, 1570 reported as closed,
and 684 issued resets to the survey instrument. Of the C&Cs
listed by domain name in the our C&C database, 4862 are mitigated.
Top 20 ASNes by Total suspect domains mapping to a host in the ASN.
These numbers are determined by counting the number of domains which
resolve to a host in the ASN. We do not remove duplicates and some of
the ASNs reported have many domains mapping to a single IP. Note the
Percent_resolved figure is calculated using only the Total and Open
counts and does not represent a mitigation effectiveness metric.
Percent_
ASN Responsible Party Total Open Resolved
19318 NJIIX-AS-1 - NEW JERSEY INTERN 97 15 85
13301 UNITEDCOLO-AS Autonomous System of 78 25 68
4766 KIXS-AS-KR 62 7 89
16265 LEASEWEB AS 44 33 25
30058 FDCSE FDCservers.net LLC 36 9 75
23522 CIT-FOONET 35 15 57
15083 IIS-129 Infolink Information Servic 35 7 80
33597 InfoRelay Online Systems, Inc. 29 0 100
8560 SCHLUND-AS 27 10 63
174 Cogent Communications 27 17 37
30315 Everyones Internet 26 10 62
7132 SBC Internet Services 26 2 92
25761 STAMIN-2 Staminus Communications 25 14 44
3561 Savvis 25 3 88
13213 UK2NET-AS UK-2 Ltd Autonomous Syste 24 0 100
3269 TELECOM ITALIA 24 13 46
12832 Lycos Europe 24 5 79
9121 TTNet 23 21 9
4314 IIS-64 I-55 INTERNET SERVICES 23 2 91
30407 Velcom.com 23 23 0
Top 20 ASNes by number of active suspect C&Cs. These counts are
determined by the number of suspect domains or IPs located within
the ASN completed a connection request.
Percent_
ASN Responsible Party Total Open Resolved
16265 LEASEWEB AS 44 33 25
13301 UNITEDCOLO-AS Autonomous System of 78 25 68
30407 Velcom.com 23 23 0
9121 TTNet 23 21 9
174 Cogent Communications 27 17 37
23522 CIT-FOONET 35 15 57
19318 NJIIX-AS-1 - NEW JERSEY INTERN 97 15 85
25761 STAMIN-2 Staminus Communications 25 14 44
3269 TELECOM ITALIA 24 13 46
26496 Go Daddy Software, Inc. 11 11 0
8560 SCHLUND-AS 27 10 63
30315 Everyones Internet 26 10 62
30058 FDCSE FDCservers.net LLC 36 9 75
7479 KDDHK-AS-AP KDD HONG KONG LIMITED 8 8 0
9911 CONNECTPLUS-AP Singapore Telecom 9 7 22
15083 IIS-129 Infolink Information Servic 35 7 80
4766 KIXS-AS-KR 62 7 89
9316 DACOM-PUBNETPLUS-AS-KR 11 7 36
12322 PROXAD AS for Proxad ISP 8 6 25
3786 ERX-DACOMNET 13 6 54
Randal Vaughn Gadi Evron
Professor ge at linuxbox.org
Baylor University
Waco, TX
(254) 710 4756
randy_vaughn at baylor.edu