Drone Armies C&C Report - 17 Nov 2006
This is a periodic public report from the ISOTF's affiliated group 'DA'
(Drone Armies (botnets) research and mitigation mailing list / TISF
DA) with the ISOTF affiliated ASreport project (TISF / RatOut).
For this report it should be noted that we base our analysis on the data
we have accumulated from various sources, which may be incomplete.
Any responsible party that wishes to receive reports of botnet command
and control servers on their network(s) regularly and directly, feel
free to contact us.
For purposes of this report we use the following terms
open the host completed the TCP handshake
closed No activity detected
reset issued a RST
This month's survey is of 4189 unique, domains (or IPs) with
port suspect C&Cs. This list is extracted from the BBL which
has a historical base of 13405 reported C&Cs. Of the suspect C&Cs
surveyed, 649 reported as Open, 947 reported as closed,
and 755 issued resets to the survey instrument. Of the C&Cs
listed by domain name in the our C&C database, 5847 are mitigated.
Top 20 ASNes by Total suspect domains mapping to a host in the ASN.
These numbers are determined by counting the number of domains which
resolve to a host in the ASN. We do not remove duplicates and some of
the ASNs reported have many domains mapping to a single IP. Note the
Percent_resolved figure is calculated using only the Total and Open
counts and does not represent a mitigation effectiveness metric.
Percent_
ASN Responsible Party Total Open Resolved
19318 NJIIX-AS-1 - NEW JERSEY INTERN 117 27 77
13301 UNITEDCOLO-AS Autonomous System of 102 30 71
16265 LEASEWEB AS 55 38 31
23522 CIT-FOONET 46 33 28
8560 SCHLUND-AS 40 25 38
30058 FDCSE FDCservers.net LLC 38 12 68
4766 KIXS-AS-KR 33 5 85
15083 IIS-129 Infolink Information Servic 31 0 100
174 Cogent Communications 30 25 17
33597 InfoRelay Online Systems, Inc. 29 0 100
13213 UK2NET-AS UK-2 Ltd Autonomous Syste 26 0 100
9318 HANARO-AS 25 7 72
12832 Lycos Europe 24 0 100
1659 ERX-TANET-ASN1 24 6 75
24611 AS24611 Datacenter Luxembourg S.A. 23 0 100
7132 SBC Internet Services 23 4 83
30083 Server4You Inc. 22 8 64
4314 IIS-64 I-55 INTERNET SERVICES 22 2 91
19166 Alpha Red, INC 19 5 74
30407 Velcom.com 19 3 84
Top 20 ASNes by number of active suspect C&Cs. These counts are
determined by the number of suspect domains or IPs located within
the ASN completed a connection request.
Percent_
ASN Responsible Party Total Open Resolved
16265 LEASEWEB AS 55 38 31
23522 CIT-FOONET 46 33 28
13301 UNITEDCOLO-AS Autonomous System of 102 30 71
19318 NJIIX-AS-1 - NEW JERSEY INTERN 117 27 77
8560 SCHLUND-AS 40 25 38
174 Cogent Communications 30 25 17
30058 FDCSE FDCservers.net LLC 38 12 68
30315 Everyones Internet 13 8 38
15516 DK-ARROWHEAD 9 8 11
9800 UNICOM 19 8 58
30083 Server4You Inc. 22 8 64
12322 PROXAD AS for Proxad ISP 10 8 20
28753 NETDIRECT AS NETDIRECT Frankfurt 13 8 38
3786 ERX-DACOMNET 14 8 43
36263 forona. 11 7 36
9318 HANARO-AS 25 7 72
3462 HINET 13 7 46
34305 EUROACCESS Euroaccess 9 7 22
6140 ImpSat 8 6 25
1659 ERX-TANET-ASN1 24 6 75
A version of this report with addition rankings can be found
via the isotf.org home page.
Randal Vaughn Gadi Evron
Professor ge at linuxbox.org
Baylor University
Waco, TX
(254) 710 4756
randy_vaughn at baylor.edu