North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Drone Armies C&C Report - 30 Jun 2006

  • From: c2report
  • Date: Fri Jun 30 22:53:13 2006



This is a periodic public report from the ISOTF's affiliated group 'DA'
(Drone Armies (botnets) research and mitigation mailing list / TISF
DA) with the ISOTF affiliated ASreport project (TISF / RatOut).

For this report it should be noted that we base our analysis on the data
we have accumulated from various sources, which may be incomplete.

Any responsible party that wishes to receive reports of botnet command
and control servers on their network(s) regularly and directly, feel
free to contact us.

For purposes of this report we use the following terms
open	the host completed the TCP handshake
closed	No activity detected
reset	issued a RST

This month's survey is of 3420 unique, domains (or IPs) with
port suspect C&Cs. This list is extracted from the BBL which
has a historical base of 10579 reported C&Cs. Of the suspect C&Cs
surveyed, 624 reported as Open, 1110 reported as closed,
and 580 issued resets to the survey instrument. Of the C&Cs 
listed by domain name in the our C&C database, 4778 are mitigated.

Top 20 ASNes by Total suspect domains mapping to a host in the ASN.
These numbers are determined by counting the number of domains which
resolve to a host in the ASN.  We do not remove duplicates and some of
the ASNs reported have many domains mapping to a single IP.  Note the
Percent_resolved figure is calculated using only the Total and Open
counts and does not represent a mitigation effectiveness metric.
                                                                Percent_
ASN     Responsible Party                       Total   Open    Resolved
19318   NJIIX-AS-1 - NEW JERSEY INTERN             75     13     83
23522   CIT-FOONET                                 51     19     63
13301   UNITEDCOLO-AS Autonomous System of         51     14     73
 4766   KIXS-AS-KR                                 39     14     64
 4134   CHINANET-BACKBONE                          27     14     48
 9318   HANARO-AS                                  26      8     69
 4314   IIS-64 I-55 INTERNET SERVICES              26      2     92
 7132   SBC Internet Services                      25      6     76
33597   InfoRelay Online Systems, Inc.             24      0    100
 8560   SCHLUND-AS                                 24      6     75
 4837   CHINA169-Backbone                          23     10     57
 3561   Savvis                                     22      2     91
30315   Everyones Internet                         22     10     55
13749   EVRY Everyones Internet                    21      1     95
 1659   ERX-TANET-ASN1                             21      6     71
  174   Cogent Communications                      20     13     35
13237   LAMBDANET-AS                               20     15     25
13213   UK2NET-AS UK-2 Ltd Autonomous Syste        20      0    100
21840   SAGONE Sago Networks                       19      3     84
29073   COLINKS-AS Colinks web and game hos        19     18      5

Top 20 ASNes by number of active suspect C&Cs.  These counts are
determined by the number of suspect domains or IPs located within
the ASN completed a connection request.
                                                                Percent_
ASN     Responsible Party                       Total   Open    Resolved
23522   CIT-FOONET                                 51     19     63
29073   COLINKS-AS Colinks web and game hos        19     18      5
13237   LAMBDANET-AS                               20     15     25
 4766   KIXS-AS-KR                                 39     14     64
13301   UNITEDCOLO-AS Autonomous System of         51     14     73
 4134   CHINANET-BACKBONE                          27     14     48
19318   NJIIX-AS-1 - NEW JERSEY INTERN             75     13     83
  174   Cogent Communications                      20     13     35
30315   Everyones Internet                         22     10     55
 4837   CHINA169-Backbone                          23     10     57
10032   HGC-AS-AP Hutchison Global Crossing        11     10      9
 9911   CONNECTPLUS-AP Singapore Telecom           13     10     23
35908   Krypt Technologies Inc.                    13      9     31
36263   forona.                                    10      8     20
 9318   HANARO-AS                                  26      8     69
 9600   SONY CORPORATION                            7      7      0
16265   LEASEWEB AS                                13      7     46
18942   WEBHO-3 WebHostPlus Inc                     7      6     14
 1659   ERX-TANET-ASN1                             21      6     71
12322   PROXAD AS for Proxad ISP                    7      6     14


Randal Vaughn                             Gadi  Evron
Professor                                 ge at linuxbox.org
Baylor University
Waco, TX
(254) 710 4756
randy_vaughn at baylor.edu