Drone Armies C&C Report - 17 Mar 2007

c2report at isotf.org c2report at isotf.org
Sat Mar 17 21:05:50 UTC 2007



This is a periodic public report from the ISOTF's affiliated group 'DA'
(Drone Armies (botnets) research and mitigation mailing list / TISF
DA) with the ISOTF affiliated ASreport project (TISF / RatOut).

For this report it should be noted that we base our analysis on the data
we have accumulated from various sources, which may be incomplete.

Any responsible party that wishes to receive reports of botnet command
and control servers on their network(s) regularly and directly, feel
free to contact us.

For purposes of this report we use the following terms
open	the host completed the TCP handshake
closed	No activity detected
reset	issued a RST

This month's survey is of 5188 unique, domains (or IPs) with
port suspect C&Cs. This list is extracted from the BBL which
has a historical base of 16080 reported C&Cs. Of the suspect C&Cs
surveyed, 774 reported as Open, 1577 reported as closed,
and 801 issued resets to the survey instrument. Of the C&Cs 
listed by domain name in the our C&C database, 7799 are mitigated.

Top 20 ASNes by Total suspect domains mapping to a host in the ASN.
These numbers are determined by counting the number of domains which
resolve to a host in the ASN.  We do not remove duplicates and some of
the ASNs reported have many domains mapping to a single IP.  Note the
Percent_resolved figure is calculated using only the Total and Open
counts and does not represent a mitigation effectiveness metric.
                                                                Percent_
ASN     Responsible Party                       Total   Open    Resolved
19318   NJIIX-AS-1 - NEW JERSEY INTERN            134     14     90
13301   UNITEDCOLO-AS Autonomous System of         86     24     72
23522   CIT-FOONET                                 69     44     36
 4766   KIXS-AS-KR                                 60     15     75
30058   FDCSE FDCservers.net LLC                   47     11     77
 7132   SBC Internet Services                      45      9     80
  174   Cogent Communications                      45     41      9
 8560   SCHLUND-AS                                 41      8     80
13213   UK2NET-AS UK-2 Ltd Autonomous Syste        40      2     95
25761   STAMIN-2 Staminus Communications           38     23     39
14779   INKT Inktomi Corporation                   36      0    100
14780   INKT Inktomi Corporation                   35      0    100
 9318   HANARO-AS                                  34      4     88
 3561   Savvis                                     32      6     81
33597   InfoRelay Online Systems, Inc.             31      0    100
24989   IXEUROPE-DE-FRANKFURT-ASN IX Europe        30     11     63
12832   Lycos Europe                               29      4     86
 4134   CHINANET-BACKBONE                          29      8     72
25973   Mzima Networks, Inc.                       28     27      4
24611   AS24611 Datacenter Luxembourg S.A.         26      0    100

Top 20 ASNes by number of active suspect C&Cs.  These counts are
determined by the number of suspect domains or IPs located within
the ASN completed a connection request.
                                                                Percent_
ASN     Responsible Party                       Total   Open    Resolved
23522   CIT-FOONET                                 69     44     36
  174   Cogent Communications                      45     41      9
25973   Mzima Networks, Inc.                       28     27      4
13301   UNITEDCOLO-AS Autonomous System of         86     24     72
25761   STAMIN-2 Staminus Communications           38     23     39
30506   Blacksun Technologies                      18     18      0
 4766   KIXS-AS-KR                                 60     15     75
19318   NJIIX-AS-1 - NEW JERSEY INTERN            134     14     90
30058   FDCSE FDCservers.net LLC                   47     11     77
 1257   TELE2 AB                                   18     11     39
24989   IXEUROPE-DE-FRANKFURT-ASN IX Europe        30     11     63
 4837   CHINA169-Backbone                          26     11     58
 6140   ImpSat                                     11     10      9
29686   PROBENETWORKS-AS Probe Networks            10     10      0
29339   MBBG-AS Markus Bach Betriebs Gesell        10     10      0
 7132   SBC Internet Services                      45      9     80
15083   IIS-129 Infolink Information Servic        21      9     57
 8560   SCHLUND-AS                                 41      8     80
 3786   ERX-DACOMNET                               26      8     69
 4134   CHINANET-BACKBONE                          29      8     72

A version of this report with addition rankings can be found
via the isotf.org home page. 


Randal Vaughn                             Gadi  Evron
Professor                                 ge at linuxbox.org
Baylor University
Waco, TX
(254) 710 4756
randy_vaughn at baylor.edu




More information about the NANOG mailing list