Drone Armies C&C Report - 19 Feb 2007
This is a periodic public report from the ISOTF's affiliated group 'DA' (Drone Armies (botnets) research and mitigation mailing list / TISF DA) with the ISOTF affiliated ASreport project (TISF / RatOut). For this report it should be noted that we base our analysis on the data we have accumulated from various sources, which may be incomplete. Any responsible party that wishes to receive reports of botnet command and control servers on their network(s) regularly and directly, feel free to contact us. For purposes of this report we use the following terms open the host completed the TCP handshake closed No activity detected reset issued a RST This month's survey is of 5730 unique, domains (or IPs) with port suspect C&Cs. This list is extracted from the BBL which has a historical base of 15292 reported C&Cs. Of the suspect C&Cs surveyed, 682 reported as Open, 1990 reported as closed, and 749 issued resets to the survey instrument. Of the C&Cs listed by domain name in the our C&C database, 7228 are mitigated. Top 20 ASNes by Total suspect domains mapping to a host in the ASN. These numbers are determined by counting the number of domains which resolve to a host in the ASN. We do not remove duplicates and some of the ASNs reported have many domains mapping to a single IP. Note the Percent_resolved figure is calculated using only the Total and Open counts and does not represent a mitigation effectiveness metric. Percent_ ASN Responsible Party Total Open Resolved 19318 NJIIX-AS-1 - NEW JERSEY INTERN 133 16 88 13301 UNITEDCOLO-AS Autonomous System of 89 35 61 4766 KIXS-AS-KR 63 17 73 30058 FDCSE FDCservers.net LLC 45 14 69 23522 CIT-FOONET 45 24 47 7132 SBC Internet Services 41 3 93 13213 UK2NET-AS UK-2 Ltd Autonomous Syste 39 8 79 8560 SCHLUND-AS 37 3 92 14779 INKT Inktomi Corporation 36 0 100 9318 HANARO-AS 35 2 94 33597 InfoRelay Online Systems, Inc. 31 0 100 174 Cogent Communications 31 27 13 4713 OCN NTT Communications Corporation 28 24 14 3561 Savvis 28 0 100 4134 CHINANET-BACKBONE 27 6 78 16265 LEASEWEB AS 26 5 81 24611 AS24611 Datacenter Luxembourg S.A. 26 0 100 12832 Lycos Europe 25 0 100 9121 TTNet 25 1 96 3786 ERX-DACOMNET 23 9 61 Top 20 ASNes by number of active suspect C&Cs. These counts are determined by the number of suspect domains or IPs located within the ASN completed a connection request. Percent_ ASN Responsible Party Total Open Resolved 13301 UNITEDCOLO-AS Autonomous System of 89 35 61 174 Cogent Communications 31 27 13 4713 OCN NTT Communications Corporation 28 24 14 23522 CIT-FOONET 45 24 47 25973 Mzima Networks, Inc. 20 18 10 4766 KIXS-AS-KR 63 17 73 30506 Blacksun Technologies 17 17 0 19318 NJIIX-AS-1 - NEW JERSEY INTERN 133 16 88 30058 FDCSE FDCservers.net LLC 45 14 69 23832 SPACELAN KANAZAWA CABLE TELEVISION 11 11 0 29339 MBBG-AS Markus Bach Betriebs Gesell 10 10 0 31103 KEYWEB-AS Keyweb AG 11 10 9 11260 Andara High Speed Internet c/o Hali 10 9 10 3786 ERX-DACOMNET 23 9 61 4837 CHINA169-Backbone 22 8 64 9800 UNICOM 18 8 56 13213 UK2NET-AS UK-2 Ltd Autonomous Syste 39 8 79 24989 IXEUROPE-DE-FRANKFURT-ASN IX Europe 21 7 67 25761 STAMIN-2 Staminus Communications 21 7 67 8001 Net Access Corporation 13 7 46 A version of this report with addition rankings can be found via the isotf.org home page. Randal Vaughn Gadi Evron Professor ge at linuxbox.org Baylor University Waco, TX (254) 710 4756 randy_vaughn at baylor.edu
participants (1)
-
c2report@isotf.org