<<< Date Index >>>     <<< Thread Index >>>

Drone Armies C&C Report - 17 Nov 2006




This is a periodic public report from the ISOTF's affiliated group 'DA'
(Drone Armies (botnets) research and mitigation mailing list / TISF
DA) with the ISOTF affiliated ASreport project (TISF / RatOut).

For this report it should be noted that we base our analysis on the data
we have accumulated from various sources, which may be incomplete.

Any responsible party that wishes to receive reports of botnet command
and control servers on their network(s) regularly and directly, feel
free to contact us.

For purposes of this report we use the following terms
open    the host completed the TCP handshake
closed  No activity detected
reset   issued a RST

This month's survey is of 4189 unique, domains (or IPs) with
port suspect C&Cs. This list is extracted from the BBL which
has a historical base of 13405 reported C&Cs. Of the suspect C&Cs
surveyed, 649 reported as Open, 947 reported as closed,
and 755 issued resets to the survey instrument. Of the C&Cs 
listed by domain name in the our C&C database, 5847 are mitigated.

Top 20 ASNes by Total suspect domains mapping to a host in the ASN.
These numbers are determined by counting the number of domains which
resolve to a host in the ASN.  We do not remove duplicates and some of
the ASNs reported have many domains mapping to a single IP.  Note the
Percent_resolved figure is calculated using only the Total and Open
counts and does not represent a mitigation effectiveness metric.
                                                                Percent_
ASN     Responsible Party                       Total   Open    Resolved
19318   NJIIX-AS-1 - NEW JERSEY INTERN            117     27     77
13301   UNITEDCOLO-AS Autonomous System of        102     30     71
16265   LEASEWEB AS                                55     38     31
23522   CIT-FOONET                                 46     33     28
 8560   SCHLUND-AS                                 40     25     38
30058   FDCSE FDCservers.net LLC                   38     12     68
 4766   KIXS-AS-KR                                 33      5     85
15083   IIS-129 Infolink Information Servic        31      0    100
  174   Cogent Communications                      30     25     17
33597   InfoRelay Online Systems, Inc.             29      0    100
13213   UK2NET-AS UK-2 Ltd Autonomous Syste        26      0    100
 9318   HANARO-AS                                  25      7     72
12832   Lycos Europe                               24      0    100
 1659   ERX-TANET-ASN1                             24      6     75
24611   AS24611 Datacenter Luxembourg S.A.         23      0    100
 7132   SBC Internet Services                      23      4     83
30083   Server4You Inc.                            22      8     64
 4314   IIS-64 I-55 INTERNET SERVICES              22      2     91
19166   Alpha Red, INC                             19      5     74
30407   Velcom.com                                 19      3     84

Top 20 ASNes by number of active suspect C&Cs.  These counts are
determined by the number of suspect domains or IPs located within
the ASN completed a connection request.
                                                                Percent_
ASN     Responsible Party                       Total   Open    Resolved
16265   LEASEWEB AS                                55     38     31
23522   CIT-FOONET                                 46     33     28
13301   UNITEDCOLO-AS Autonomous System of        102     30     71
19318   NJIIX-AS-1 - NEW JERSEY INTERN            117     27     77
 8560   SCHLUND-AS                                 40     25     38
  174   Cogent Communications                      30     25     17
30058   FDCSE FDCservers.net LLC                   38     12     68
30315   Everyones Internet                         13      8     38
15516   DK-ARROWHEAD                                9      8     11
 9800   UNICOM                                     19      8     58
30083   Server4You Inc.                            22      8     64
12322   PROXAD AS for Proxad ISP                   10      8     20
28753   NETDIRECT AS NETDIRECT Frankfurt           13      8     38
 3786   ERX-DACOMNET                               14      8     43
36263   forona.                                    11      7     36
 9318   HANARO-AS                                  25      7     72
 3462   HINET                                      13      7     46
34305   EUROACCESS Euroaccess                       9      7     22
 6140   ImpSat                                      8      6     25
 1659   ERX-TANET-ASN1                             24      6     75

A version of this report with addition rankings can be found
via the isotf.org home page. 


Randal Vaughn                             Gadi  Evron
Professor                                 ge at linuxbox.org
Baylor University
Waco, TX
(254) 710 4756
randy_vaughn at baylor.edu