This is a periodic public report from the ISOTF's affiliated group 'DA'
(Drone Armies (botnets) research and mitigation mailing list / TISF
DA) with the ISOTF affiliated ASreport project (TISF / RatOut).
For this report it should be noted that we base our analysis on the data
we have accumulated from various sources, which may be incomplete.
Any responsible party that wishes to receive reports of botnet command
and control servers on their network(s) regularly and directly, feel
free to contact us.
For purposes of this report we use the following terms
open the host completed the TCP handshake
closed No activity detected
reset issued a RST
This month's survey is of 3151 unique, domains (or IPs) with
port suspect C&Cs. This list is extracted from the BBL which
has a historical base of 10115 reported C&Cs. Of the suspect C&Cs
surveyed, 649 reported as Open, 935 reported as closed,
and 569 issued resets to the survey instrument. Of the C&Cs
listed by domain name in the our C&C database, 4666 are mitigated.
Top 20 ASNes by Total suspect domains mapping to a host in the ASN.
These numbers are determined by counting the number of domains which
resolve to a host in the ASN. We do not remove duplicates and some of
the ASNs reported have many domains mapping to a single IP. Note the
Percent_resolved figure is calculated using only the Total and Open
counts and does not represent a mitigation effectiveness metric.
Percent_
ASN Responsible Party Total Open Resolved
13301 UNITEDCOLO-AS Autonomous System of 54 27 50
19318 AIC-81 Albany International Corp. 49 14 71
4134 CHINANET-BACKBONE 37 16 57
23522 CIT-FOONET 35 20 43
8972 INTERGENIA-ASN intergenia autonomou 35 17 51
4766 KIXS-AS-KR 32 7 78
4314 IIS-64 I-55 INTERNET SERVICES 28 1 96
4837 CHINA169-Backbone 27 8 70
30315 Everyones Internet 25 11 56
33597 InfoRelay Online Systems, Inc. 24 0 100
7132 SBC Internet Services 24 5 79
9318 HANARO-AS 24 8 67
3561 Savvis 23 3 87
8560 SCHLUND-AS 22 5 77
13749 EVRY Everyones Internet 22 2 91
13213 UK2NET-AS UK-2 Ltd Autonomous Syste 20 0 100
29073 COLINKS-AS Colinks web and game hos 19 13 32
27595 ATRIV Atrivo 19 3 84
3462 HINET 19 7 63
21840 SAGONE Sago Networks 18 3 83
Top 20 ASNes by number of active suspect C&Cs. These counts are
determined by the number of suspect domains or IPs located within
the ASN completed a connection request.
Percent_
ASN Responsible Party Total Open Resolved
13301 UNITEDCOLO-AS Autonomous System of 54 27 50
23522 CIT-FOONET 35 20 43
8972 INTERGENIA-ASN intergenia autonomou 35 17 51
4134 CHINANET-BACKBONE 37 16 57
13237 LAMBDANET-AS 18 14 22
19318 AIC-81 Albany International Corp. 49 14 71
29073 COLINKS-AS Colinks web and game hos 19 13 32
30315 Everyones Internet 25 11 56
174 Cogent Communications 16 10 38
9318 HANARO-AS 24 8 67
4837 CHINA169-Backbone 27 8 70
3269 TELECOM ITALIA 12 7 42
3462 HINET 19 7 63
4766 KIXS-AS-KR 32 7 78
19262 Verizon Internet Services 14 7 50
12322 PROXAD AS for Proxad ISP 6 6 0
28753 NETDIRECT AS NETDIRECT Frankfurt 8 6 25
16265 LEASEWEB AS 11 6 45
3786 ERX-DACOMNET 9 6 33
9600 SONY CORPORATION 7 6 14
Randal Vaughn Gadi Evron
Professor ge at linuxbox.org
Baylor University
Waco, TX
(254) 710 4756
randy_vaughn at baylor.edu