[apops] [Fwd: Subject: drone armies C&C report - February/2006]

  • To: apops at apops dot net
  • Subject: [apops] [Fwd: Subject: drone armies C&C report - February/2006]
  • From: Gadi Evron <ge at linuxbox dot org>
  • Date: Tue, 21 Feb 2006 08:33:05 +0200
  • List-archive: <http://www.apnic.net/mailing-lists/apops>
  • List-help: <mailto:apops-request@apops.net?subject=help>
  • List-id: Asia Pacific Operators Forum <apops.apops.net>
  • List-post: <mailto:apops@apops.net>
  • List-subscribe: <http://mailman.apnic.net/mailman/listinfo/apops>, <mailto:apops-request@apops.net?subject=subscribe>
  • List-unsubscribe: <http://mailman.apnic.net/mailman/listinfo/apops>, <mailto:apops-request@apops.net?subject=unsubscribe>
  • User-agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)
    • Starting with out next report we will also automatically post (once a mounth) here as well.
      
      	Gadi.
      
      --- Begin Message ---
      Below is an automatically generated periodic public report from the
      ISOTF's affiliated group "DA" ("Drone Armies (botnets) research and
      mitigation mailing list" / TISF DA) with the ISOTF affiliated ASreport
      project (TISF / RatOut).
      
      For this report it should be noted that we base our analysis on the data
      we have accumulated from various sources, which may be incomplete.
      
      Any responsible party that wishes to receive reports of botnet command
      and control servers on their network(s) regularly and directly, feel
      free to contact us.
      
      In the past few months we did not publish this report, allowing for
      responsible parties to ask for regular reports from us on suspected
      botnet C&C activity on their networks. As you can see below, the
      Internet drastically changed its face positively because these reports
      (compared to when we started), and now a lot more so due to direct
      reporting.
      
      For purposes of this report we use the following terms:
      open    the host completed the TCP handshake
      closed    No activity detected
      reset    issued a RST
      
      This month's survey is of 4271 unique domain with port or IP with port
      suspect C&Cs. This list is extracted from the BBL which currently has a
      historical base of 7780 reported C&Cs. Of the suspect C&Cs surveyed, 685
      reported as Open, 3353 reported as closed and 572 issued resets to the
      survey instrument. Of the C&Cs listed by domain name, 1847 are mitigated
      via remapping.
      
      
      Top 20 ASNes by Total suspect domains mapping to a host in the ASN.
      These numbers are determined by counting the number of domains which
      resolve to a host in the ASN.  We do not remove duplicates and some of
      the ASNs reported have many domains mapping to a single IP.  Note the
      Percent_resolved figure is calculated using only the Total and Open
      counts and does not represent a mitigation effectiveness metric.
      
      ASN     Responsible Party                       Total   Open Percent_Resolved
      14744   PNAP Internap Network Services          91      0       100%
      10913   PNAP Internap Network Services          67      0       100%
      30058   FDCSE FDCservers.net LLC                65      18      72%
      25761   STAMIN-2 Staminus Communications        58      6       90%
      3356    Level 3 Communications, LLC             53      0       100%
      13301   UNITEDCOLO-AS Autonomous System of      52      35      33%
      14779   INKT Inktomi Corporation                42      0       100%
      21844   THE PLANET                              41      2       95%
      19318   AIC-81 Albany International Corp.       40      11      73%
      13749   EVRY Everyones Internet                 37      5       86%
      4766    KIXS-AS-KR                              35      2       94%
      30315   Everyones Internet                      31      12      61%
      12182   PNAP Internap Network Services          31      0       100%
      9318    HANARO-AS                               30      9       70%
      21840   SAGONE Sago Networks                    30      5       83%
      13790   PNAP Internap Network Services          30      0       100%
      22822   LLNW Limelight Networks                 29      10      66%
      27595   ATRIV Atrivo                            27      5       81%
      12832   Lycos Europe                            26      3       88%
      3561    Savvis                                  24      1       96%
      
      
      Top 20 ASNes by number of active suspect C&Cs.  These counts are
      determined by the number of suspect domains or IPs located within
      the ASN completed a connection request.
      
        ASN   Responsible Party                       Total   Open Percent_Resolved
      13301   UNITEDCOLO-AS Autonomous System of      52      35      33%
      32748   NOZON NoZone                            21      20      5%
      30058   FDCSE FDCservers.net LLC                65      18      72%
      174     Cogent Communications                   20      16      20%
      25700   SWIFTDESK VENTURE                       19      13      32%
      30315   Everyones Internet                      31      12      61%
      4134    CHINANET-BACKBONE                       17      12      29%
      19318   AIC-81 Albany International Corp.       40      11      73%
      9121    TTNet                                   15      11      27%
      22822   LLNW Limelight Networks                 29      10      66%
      8972    INTERGENIA-ASN intergenia autonomou     21      10      52%
      15083   IIS-129 Infolink Information Servic     24      9       63%
      30407   Velcom.com                              12      9       25%
      9318    HANARO-AS                               30      9       70%
      20115   Charter Communications                  20      9       55%
      23522   CIT-FOONET                              14      9       36%
      16265   LEASEWEB AS                             15      9       40%
      3269    TELECOM ITALIA                          16      8       50%
      8560    SCHLUND-AS                              19      7       63%
      19166   Alpha Red, INC                          14      7       50%
      33569   ALLHOSTSHOP.COM                         16      6       63%
      
      

      --- End Message ---