North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Drone Armies C&C Report - 01 Apr 2006

  • From: c2report
  • Date: Sat Apr 01 13:42:46 2006


This is a periodic public report from the ISOTF's affiliated group 'DA'
(Drone Armies (botnets) research and mitigation mailing list / TISF
DA) with the ISOTF affiliated ASreport project (TISF / RatOut).

For this report it should be noted that we base our analysis on the data
we have accumulated from various sources, which may be incomplete.

Any responsible party that wishes to receive reports of botnet command
and control servers on their network(s) regularly and directly, feel
free to contact us.

For purposes of this report we use the following terms
open	the host completed the TCP handshake
closed	No activity detected
reset	issued a RST

This month's survey is of 5621 unique, domains (or IPs) with
port suspect C&Cs. This list is extracted from the BBL which
has a historical base of 8182 reported C&Cs. Of the suspect C&Cs
surveyed, 674 reported as Open, 3507 reported as closed,
and 678 issued resets to the survey instrument. Of the C&Cs 
listed by domain name in the our C&C database, 1739 are mitigated.

Top 20 ASNes by Total suspect domains mapping to a host in the ASN.
These numbers are determined by counting the number of domains which
resolve to a host in the ASN.  We do not remove duplicates and some of
the ASNs reported have many domains mapping to a single IP.  Note the
Percent_resolved figure is calculated using only the Total and Open
counts and does not represent a mitigation effectiveness metric.
                                                                Percent_
ASN     Responsible Party                       Total   Open    Resolved
14744   PNAP Internap Network Services            118     17     86
10913   PNAP Internap Network Services             96      0    100
 3356   Level 3 Communications, LLC                72      0    100
30058   FDCSE FDCservers.net LLC                   65      9     86
25761   STAMIN-2 Staminus Communications           64     18     72
19318   AIC-81 Albany International Corp.          61     21     66
13301   UNITEDCOLO-AS Autonomous System of         57     35     39
14779   INKT Inktomi Corporation                   56      0    100
 4766   KIXS-AS-KR                                 46      8     83
12182   PNAP Internap Network Services             44      0    100
21844   THE PLANET                                 40      0    100
30315   Everyones Internet                         34     10     71
13790   PNAP Internap Network Services             33      0    100
 8972   INTERGENIA-ASN intergenia autonomou        30     17     43
21840   SAGONE Sago Networks                       29      3     90
27595   ATRIV Atrivo                               29      4     86
 8560   SCHLUND-AS                                 28      4     86
 3561   Savvis                                     27      2     93
 8220   COLT COLT Telecommunications               26     14     46
 6981   FDN.com                                    25     15     40

Top 20 ASNes by number of active suspect C&Cs.  These counts are
determined by the number of suspect domains or IPs located within
the ASN completed a connection request.
                                                                Percent_
ASN     Responsible Party                       Total   Open    Resolved
13301   UNITEDCOLO-AS Autonomous System of         57     35     39
19318   AIC-81 Albany International Corp.          61     21     66
25761   STAMIN-2 Staminus Communications           64     18     72
14744   PNAP Internap Network Services            118     17     86
 8972   INTERGENIA-ASN intergenia autonomou        30     17     43
30407   Velcom.com                                 19     17     11
 6981   FDN.com                                    25     15     40
 8220   COLT COLT Telecommunications               26     14     46
19875   IPWORL IPWorld Networks                    23     13     43
  702   MCI EMEA - Commercial IP                   22     13     41
23522   CIT-FOONET                                 18     12     33
15083   IIS-129 Infolink Information Servic        18     11     39
 3462   HINET                                      24     10     58
 9318   HANARO-AS                                  25     10     60
30315   Everyones Internet                         34     10     71
  174   Cogent Communications                      14     10     29
30058   FDCSE FDCservers.net LLC                   65      9     86
29073   COLINKS-AS Colinks web and game hos         9      9      0
19166   Alpha Red, INC                             12      8     33
 4766   KIXS-AS-KR                                 46      8     83


Randal Vaughn                             Gadi  Evron
Professor                                 ge at linuxbox.org
Baylor University
Waco, TX
(254) 710 4756
randy_vaughn at baylor.edu