[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.21.0606302207040.26542-100000@linuxbox.org>
Date: Sat Jul 1 15:05:15 2006
From: ge at linuxbox.org (Gadi Evron)
Subject: Drone Armies C&C Report - 30 Jun 2006 (fwd)
We usually send this only to bugtraq, but I figured I'll gage interest by
sending it here as well this month.
---------- Forwarded message ----------
Date: Fri, 30 Jun 2006 21:51:33 -0500
From: c2report@...tf.org
To: nanog@...it.edu
Subject: Drone Armies C&C Report - 30 Jun 2006
This is a periodic public report from the ISOTF's affiliated group 'DA'
(Drone Armies (botnets) research and mitigation mailing list / TISF
DA) with the ISOTF affiliated ASreport project (TISF / RatOut).
For this report it should be noted that we base our analysis on the data
we have accumulated from various sources, which may be incomplete.
Any responsible party that wishes to receive reports of botnet command
and control servers on their network(s) regularly and directly, feel
free to contact us.
For purposes of this report we use the following terms
open the host completed the TCP handshake
closed No activity detected
reset issued a RST
This month's survey is of 3420 unique, domains (or IPs) with
port suspect C&Cs. This list is extracted from the BBL which
has a historical base of 10579 reported C&Cs. Of the suspect C&Cs
surveyed, 624 reported as Open, 1110 reported as closed,
and 580 issued resets to the survey instrument. Of the C&Cs
listed by domain name in the our C&C database, 4778 are mitigated.
Top 20 ASNes by Total suspect domains mapping to a host in the ASN.
These numbers are determined by counting the number of domains which
resolve to a host in the ASN. We do not remove duplicates and some of
the ASNs reported have many domains mapping to a single IP. Note the
Percent_resolved figure is calculated using only the Total and Open
counts and does not represent a mitigation effectiveness metric.
Percent_
ASN Responsible Party Total Open Resolved
19318 NJIIX-AS-1 - NEW JERSEY INTERN 75 13 83
23522 CIT-FOONET 51 19 63
13301 UNITEDCOLO-AS Autonomous System of 51 14 73
4766 KIXS-AS-KR 39 14 64
4134 CHINANET-BACKBONE 27 14 48
9318 HANARO-AS 26 8 69
4314 IIS-64 I-55 INTERNET SERVICES 26 2 92
7132 SBC Internet Services 25 6 76
33597 InfoRelay Online Systems, Inc. 24 0 100
8560 SCHLUND-AS 24 6 75
4837 CHINA169-Backbone 23 10 57
3561 Savvis 22 2 91
30315 Everyones Internet 22 10 55
13749 EVRY Everyones Internet 21 1 95
1659 ERX-TANET-ASN1 21 6 71
174 Cogent Communications 20 13 35
13237 LAMBDANET-AS 20 15 25
13213 UK2NET-AS UK-2 Ltd Autonomous Syste 20 0 100
21840 SAGONE Sago Networks 19 3 84
29073 COLINKS-AS Colinks web and game hos 19 18 5
Top 20 ASNes by number of active suspect C&Cs. These counts are
determined by the number of suspect domains or IPs located within
the ASN completed a connection request.
Percent_
ASN Responsible Party Total Open Resolved
23522 CIT-FOONET 51 19 63
29073 COLINKS-AS Colinks web and game hos 19 18 5
13237 LAMBDANET-AS 20 15 25
4766 KIXS-AS-KR 39 14 64
13301 UNITEDCOLO-AS Autonomous System of 51 14 73
4134 CHINANET-BACKBONE 27 14 48
19318 NJIIX-AS-1 - NEW JERSEY INTERN 75 13 83
174 Cogent Communications 20 13 35
30315 Everyones Internet 22 10 55
4837 CHINA169-Backbone 23 10 57
10032 HGC-AS-AP Hutchison Global Crossing 11 10 9
9911 CONNECTPLUS-AP Singapore Telecom 13 10 23
35908 Krypt Technologies Inc. 13 9 31
36263 forona. 10 8 20
9318 HANARO-AS 26 8 69
9600 SONY CORPORATION 7 7 0
16265 LEASEWEB AS 13 7 46
18942 WEBHO-3 WebHostPlus Inc 7 6 14
1659 ERX-TANET-ASN1 21 6 71
12322 PROXAD AS for Proxad ISP 7 6 14
Randal Vaughn Gadi Evron
Professor ge at linuxbox.org
Baylor University
Waco, TX
(254) 710 4756
randy_vaughn at baylor.edu
Powered by blists - more mailing lists