[<prev] [next>] [day] [month] [year] [list]
Message-Id: <200612152218.kBFMI40S027225@mwpbu.baylor.edu>
Date: Fri, 15 Dec 2006 16:18:04 -0600
From: c2report@...tf.org
To: full-disclosure@...ts.grok.org.uk
Subject: Drone Armies C&C Report - 15 Dec 2006
This is a periodic public report from the ISOTF's affiliated group 'DA'
(Drone Armies (botnets) research and mitigation mailing list / TISF
DA) with the ISOTF affiliated ASreport project (TISF / RatOut).
For this report it should be noted that we base our analysis on the data
we have accumulated from various sources, which may be incomplete.
Any responsible party that wishes to receive reports of botnet command
and control servers on their network(s) regularly and directly, feel
free to contact us.
For purposes of this report we use the following terms
open the host completed the TCP handshake
closed No activity detected
reset issued a RST
This month's survey is of 4898 unique, domains (or IPs) with
port suspect C&Cs. This list is extracted from the BBL which
has a historical base of 14350 reported C&Cs. Of the suspect C&Cs
surveyed, 575 reported as Open, 1588 reported as closed,
and 805 issued resets to the survey instrument. Of the C&Cs
listed by domain name in the our C&C database, 5867 are mitigated.
Top 20 ASNes by Total suspect domains mapping to a host in the ASN.
These numbers are determined by counting the number of domains which
resolve to a host in the ASN. We do not remove duplicates and some of
the ASNs reported have many domains mapping to a single IP. Note the
Percent_resolved figure is calculated using only the Total and Open
counts and does not represent a mitigation effectiveness metric.
Percent_
ASN Responsible Party Total Open Resolved
19318 NJIIX-AS-1 - NEW JERSEY INTERN 122 23 81
13301 UNITEDCOLO-AS Autonomous System of 116 37 68
30058 FDCSE FDCservers.net LLC 48 13 73
23522 CIT-FOONET 48 19 60
16265 LEASEWEB AS 43 7 84
8560 SCHLUND-AS 42 32 24
4766 KIXS-AS-KR 38 6 84
9318 HANARO-AS 36 15 58
7132 SBC Internet Services 36 6 83
174 Cogent Communications 34 28 18
4837 CHINA169-Backbone 32 6 81
13213 UK2NET-AS UK-2 Ltd Autonomous Syste 31 5 84
33597 InfoRelay Online Systems, Inc. 31 0 100
14744 PNAP Internap Network Services 30 0 100
15083 IIS-129 Infolink Information Servic 28 1 96
25761 STAMIN-2 Staminus Communications 26 11 58
3561 Savvis 25 1 96
10913 PNAP Internap Network Services 25 0 100
24611 AS24611 Datacenter Luxembourg S.A. 24 0 100
4314 IIS-64 I-55 INTERNET SERVICES 24 2 92
Top 20 ASNes by number of active suspect C&Cs. These counts are
determined by the number of suspect domains or IPs located within
the ASN completed a connection request.
Percent_
ASN Responsible Party Total Open Resolved
13301 UNITEDCOLO-AS Autonomous System of 116 37 68
8560 SCHLUND-AS 42 32 24
174 Cogent Communications 34 28 18
19318 NJIIX-AS-1 - NEW JERSEY INTERN 122 23 81
23522 CIT-FOONET 48 19 60
9318 HANARO-AS 36 15 58
30058 FDCSE FDCservers.net LLC 48 13 73
25761 STAMIN-2 Staminus Communications 26 11 58
3786 ERX-DACOMNET 18 8 56
29737 WideOpenWest LLC 11 8 27
1781 KAIST-DAEJEON-AS-KR Korea Advanced 11 8 27
18942 WEBHO-3 WebHostPlus Inc 11 7 36
16265 LEASEWEB AS 43 7 84
6939 HURRICANE - Hurricane Electric 11 6 45
4766 KIXS-AS-KR 38 6 84
4837 CHINA169-Backbone 32 6 81
7132 SBC Internet Services 36 6 83
12322 PROXAD AS for Proxad ISP 8 5 38
19444 CHARTER COMMUNICATIONS 6 5 17
29686 PROBENETWORKS-AS Probe Networks 5 5 0
A version of this report with addition rankings can be found
via the isotf.org home page.
Randal Vaughn Gadi Evron
Professor ge at linuxbox.org
Baylor University
Waco, TX
(254) 710 4756
randy_vaughn at baylor.edu
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists