Thursday, December 18, 2014
Text Size

Familiar Hosts & Open Resolvers

Wednesday, 24 October 2012 06:44 in Blogs, Reports by Bryn Thompson

HostExploit is pleased to present the Q3 2012 World Hosts Report, in collaboration with Group-IB and CSIS. The #1 Host this quarter for levels of malicious activity is new to the top 50 ranking table – AS40034 Confluence Networks, registered in the Virgin Islands but hosted in the United States.

Blog Image

Download the English report (PDF) here.

New names in new places is sadly not a consistent theme for this quarter as, despite the new #1, the ‘Top 50 Hosts’ table for Q3 2012 has more than a fair share of familiar names holding the top positions. Unlike the new #1 (AS40034 Confluence Networks), AS16138, the holder of the #2 spot, is a regular at the top of the chart for consistently serving some of the worst types of malicious activity on the web. Offences include large amounts of ‘Current Events’, a mix of the most up-to-date and fast changing attack exploits and vectors. (registered in Poland) has been in the ‘Top 10’ since Q2 2010, except for its #12 slot in Q2 2011. In Q1 2012 it was #1. Frequently is in the top 5.

So why does Interia remain firmly entrenched at the top of the rankings while others come and go? That is a question that only Interia itself can successfully answer. It is also the reason behind a direct appeal to Interia from HE Editor, Jart Armin, who requests a proactive stance against the flow of abuses:

“Changes to your systems and abuse procedures are long overdue. Please prevent further damage from occurring to the unfortunate and long suffering victims of the individuals or gangs who use your services to carry all manner of Internet malpractices.”

An important topic under discussion in the Q3 2012 report is on the subject of ‘open resolvers’, ‘DDoS the World - The Problem with DNS Open & Misconfigured Resolvers’. An area that has yet to fully capture the attention of the media, despite being known about for many years, is the misconfiguration of DNS resolvers or ‘open resolvers’. This can leave powerful resources vulnerable to being hijacked for the purpose of amplifying of DDoS attacks.

DDoS amplification is used far more frequently now and to devastating effect. By amplifying a DDoS attack a targeted website can be overwhelmed by its power causing system failure and service interruption. An additional benefit to the attackers is the masked origin of the attack. For the first time, HE includes data on Autonomous Systems (ASes) and open resolvers. As research continues, more data on this subject will be detailed in future reports.

Similarly, in the country rankings, there have not been large movements. It is disappointing to see that both the United States and Russia have deteriorated since Q2 in their hosts’ overall standings.

An earlier optimism in an improving situation for the United States has proved to be short-lived with an increase in the number of US hosting providers in the Q3 Top 50 – up to 14 from 12 in Q2. For individual hosts in these countries, it has been more of a mixed picture with gains and losses.

The full HE ‘World Hosts Report’ for Q3 2012 - available here - provides more detailed information on all of the topics above, including data on individual categories such as Botnet C&C servers, phishing servers, exploit servers, Zeus botnet hosting, infected websites, spam, current events and badware.

Latest Blogs

  • 1
  • 2
  • 3


Sign up to the HostExploit newsletter to receive the latest news on HostExploit reports and other developments.