North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Subject: drone armies C&C report - February/2006

  • From: c2report
  • Date: Tue Feb 21 01:21:22 2006

Below is an automatically generated periodic public report from the
ISOTF's affiliated group "DA" ("Drone Armies (botnets) research and
mitigation mailing list" / TISF DA) with the ISOTF affiliated ASreport
project (TISF / RatOut).

For this report it should be noted that we base our analysis on the data
we have accumulated from various sources, which may be incomplete.

Any responsible party that wishes to receive reports of botnet command
and control servers on their network(s) regularly and directly, feel
free to contact us.

In the past few months we did not publish this report, allowing for
responsible parties to ask for regular reports from us on suspected
botnet C&C activity on their networks. As you can see below, the
Internet drastically changed its face positively because these reports
(compared to when we started), and now a lot more so due to direct
reporting.

For purposes of this report we use the following terms:
open    the host completed the TCP handshake
closed    No activity detected
reset    issued a RST

This month's survey is of 4271 unique domain with port or IP with port
suspect C&Cs. This list is extracted from the BBL which currently has a
historical base of 7780 reported C&Cs. Of the suspect C&Cs surveyed, 685
reported as Open, 3353 reported as closed and 572 issued resets to the
survey instrument. Of the C&Cs listed by domain name, 1847 are mitigated
via remapping.


Top 20 ASNes by Total suspect domains mapping to a host in the ASN.
These numbers are determined by counting the number of domains which
resolve to a host in the ASN.  We do not remove duplicates and some of
the ASNs reported have many domains mapping to a single IP.  Note the
Percent_resolved figure is calculated using only the Total and Open
counts and does not represent a mitigation effectiveness metric.

ASN     Responsible Party                       Total   Open Percent_Resolved
14744   PNAP Internap Network Services          91      0       100%
10913   PNAP Internap Network Services          67      0       100%
30058   FDCSE FDCservers.net LLC                65      18      72%
25761   STAMIN-2 Staminus Communications        58      6       90%
3356    Level 3 Communications, LLC             53      0       100%
13301   UNITEDCOLO-AS Autonomous System of      52      35      33%
14779   INKT Inktomi Corporation                42      0       100%
21844   THE PLANET                              41      2       95%
19318   AIC-81 Albany International Corp.       40      11      73%
13749   EVRY Everyones Internet                 37      5       86%
4766    KIXS-AS-KR                              35      2       94%
30315   Everyones Internet                      31      12      61%
12182   PNAP Internap Network Services          31      0       100%
9318    HANARO-AS                               30      9       70%
21840   SAGONE Sago Networks                    30      5       83%
13790   PNAP Internap Network Services          30      0       100%
22822   LLNW Limelight Networks                 29      10      66%
27595   ATRIV Atrivo                            27      5       81%
12832   Lycos Europe                            26      3       88%
3561    Savvis                                  24      1       96%


Top 20 ASNes by number of active suspect C&Cs.  These counts are
determined by the number of suspect domains or IPs located within
the ASN completed a connection request.

  ASN   Responsible Party                       Total   Open Percent_Resolved
13301   UNITEDCOLO-AS Autonomous System of      52      35      33%
32748   NOZON NoZone                            21      20      5%
30058   FDCSE FDCservers.net LLC                65      18      72%
174     Cogent Communications                   20      16      20%
25700   SWIFTDESK VENTURE                       19      13      32%
30315   Everyones Internet                      31      12      61%
4134    CHINANET-BACKBONE                       17      12      29%
19318   AIC-81 Albany International Corp.       40      11      73%
9121    TTNet                                   15      11      27%
22822   LLNW Limelight Networks                 29      10      66%
8972    INTERGENIA-ASN intergenia autonomou     21      10      52%
15083   IIS-129 Infolink Information Servic     24      9       63%
30407   Velcom.com                              12      9       25%
9318    HANARO-AS                               30      9       70%
20115   Charter Communications                  20      9       55%
23522   CIT-FOONET                              14      9       36%
16265   LEASEWEB AS                             15      9       40%
3269    TELECOM ITALIA                          16      8       50%
8560    SCHLUND-AS                              19      7       63%
19166   Alpha Red, INC                          14      7       50%
33569   ALLHOSTSHOP.COM                         16      6       63%