Top 50 Bad Hosts - September 2012


The #1 Host this quarter for levels of malicious activity is new to the top 50 ranking table – AS40034 Confluence Networks, registered in the Virgin Islands but hosted in the United States.

New names in new places is sadly not a consistent theme for this quarter as, despite the new #1, the “Top 50 Hosts” table for Q3 2012 has more than a fair share of familiar names holding the top positions. Unlike the new #1 (AS40034 Confluence Networks), AS16138, the holder of the #2 spot, is a regular at the top of the chart for consistently serving some of the worst types of malicious activity on the web. Offences include large amounts of “Current Events”, a mix of the most up-to-date and fast changing attack exploits and vectors. (registered in Poland) has been in the “Top 10” since Q2 2010, except for its #12 slot in Q2 2011. In Q1 2012 it was #1. Frequently is in the top 5.

So why does Interia remain firmly entrenched at the top of the rankings while others come and go? That is a question that only Interia itself can successfully answer. It is also the reason behind a direct appeal to Interia from HE Editor, Jart Armin, who requests a proactive stance against the flow of abuses:

“Changes to your systems and abuse procedures are long overdue. Please prevent further damage from occurring to the unfortunate and long suffering victims of the individuals or gangs who use your services to carry all manner of Internet malpractices.”

An important topic under discussion in the Q3 2012 report is on the subject of “open resolvers”, “DDoS the World - The Problem with DNS Open & Misconfigured Resolvers”. An area that has yet to fully capture the attention of the media, despite being known about for many years, is the misconfiguration of DNS resolvers or “open resolvers”. This can leave powerful resources vulnerable to being hijacked for the purpose of amplifying of DDoS attacks.

DDoS amplification is used far more frequently now and to devastating effect. By amplifying a DDoS attack a targeted website can be overwhelmed by its power causing system failure and service interruption. An additional benefit to the attackers is the masked origin of the attack. For the first time, HE includes data on Autonomous Systems (ASes) and open resolvers. As research continues, more data on this subject will be detailed in future reports.

Similarly, in the country rankings, there have not been large movements. It is disappointing to see that both the United States and Russia have deteriorated since Q2 in their hosts’ overall standings.

An earlier optimism in an improving situation for the United States has proved to be short-lived with an increase in the number of US hosting providers in the Q3 Top 50 – up to 14 from 12 in Q2. For individual hosts in these countries, it has been more of a mixed picture with gains and losses.


PDF document
English 1.45M Download


Editor Jart Armin
Contributors Steve Burn
Greg Feezel
Andrew Fields
David Glosser
Niels Groeneveld
Matthias Simonis
Bogdan Vovchenko
Will Rogofsky
Philip Stranger
Bryn Thompson
DeepEnd Research
Reviewers Dr. Bob Bruen
Raoul Chiesa
Peter Kruse
Andre’ DiMino
Thorsten Kraft
Ilya Sachkov


We welcome any feedback relating to this paper or assistance in this area of research from the community.

Get in touch.