Subject: drone armies C&C report - February/2006
Below is an automatically generated periodic public report from the ISOTF's affiliated group "DA" ("Drone Armies (botnets) research and mitigation mailing list" / TISF DA) with the ISOTF affiliated ASreport project (TISF / RatOut). For this report it should be noted that we base our analysis on the data we have accumulated from various sources, which may be incomplete. Any responsible party that wishes to receive reports of botnet command and control servers on their network(s) regularly and directly, feel free to contact us. In the past few months we did not publish this report, allowing for responsible parties to ask for regular reports from us on suspected botnet C&C activity on their networks. As you can see below, the Internet drastically changed its face positively because these reports (compared to when we started), and now a lot more so due to direct reporting. For purposes of this report we use the following terms: open the host completed the TCP handshake closed No activity detected reset issued a RST This month's survey is of 4271 unique domain with port or IP with port suspect C&Cs. This list is extracted from the BBL which currently has a historical base of 7780 reported C&Cs. Of the suspect C&Cs surveyed, 685 reported as Open, 3353 reported as closed and 572 issued resets to the survey instrument. Of the C&Cs listed by domain name, 1847 are mitigated via remapping. Top 20 ASNes by Total suspect domains mapping to a host in the ASN. These numbers are determined by counting the number of domains which resolve to a host in the ASN. We do not remove duplicates and some of the ASNs reported have many domains mapping to a single IP. Note the Percent_resolved figure is calculated using only the Total and Open counts and does not represent a mitigation effectiveness metric. ASN Responsible Party Total Open Percent_Resolved 14744 PNAP Internap Network Services 91 0 100% 10913 PNAP Internap Network Services 67 0 100% 30058 FDCSE FDCservers.net LLC 65 18 72% 25761 STAMIN-2 Staminus Communications 58 6 90% 3356 Level 3 Communications, LLC 53 0 100% 13301 UNITEDCOLO-AS Autonomous System of 52 35 33% 14779 INKT Inktomi Corporation 42 0 100% 21844 THE PLANET 41 2 95% 19318 AIC-81 Albany International Corp. 40 11 73% 13749 EVRY Everyones Internet 37 5 86% 4766 KIXS-AS-KR 35 2 94% 30315 Everyones Internet 31 12 61% 12182 PNAP Internap Network Services 31 0 100% 9318 HANARO-AS 30 9 70% 21840 SAGONE Sago Networks 30 5 83% 13790 PNAP Internap Network Services 30 0 100% 22822 LLNW Limelight Networks 29 10 66% 27595 ATRIV Atrivo 27 5 81% 12832 Lycos Europe 26 3 88% 3561 Savvis 24 1 96% Top 20 ASNes by number of active suspect C&Cs. These counts are determined by the number of suspect domains or IPs located within the ASN completed a connection request. ASN Responsible Party Total Open Percent_Resolved 13301 UNITEDCOLO-AS Autonomous System of 52 35 33% 32748 NOZON NoZone 21 20 5% 30058 FDCSE FDCservers.net LLC 65 18 72% 174 Cogent Communications 20 16 20% 25700 SWIFTDESK VENTURE 19 13 32% 30315 Everyones Internet 31 12 61% 4134 CHINANET-BACKBONE 17 12 29% 19318 AIC-81 Albany International Corp. 40 11 73% 9121 TTNet 15 11 27% 22822 LLNW Limelight Networks 29 10 66% 8972 INTERGENIA-ASN intergenia autonomou 21 10 52% 15083 IIS-129 Infolink Information Servic 24 9 63% 30407 Velcom.com 12 9 25% 9318 HANARO-AS 30 9 70% 20115 Charter Communications 20 9 55% 23522 CIT-FOONET 14 9 36% 16265 LEASEWEB AS 15 9 40% 3269 TELECOM ITALIA 16 8 50% 8560 SCHLUND-AS 19 7 63% 19166 Alpha Red, INC 14 7 50% 33569 ALLHOSTSHOP.COM 16 6 63%
participants (1)
-
c2report@isotf.org