HostExploit is pleased to present the Q3 2012 World Hosts Report, in collaboration with Group-IB and CSIS. The #1 Host this quarter for levels of malicious activity is new to the top 50 ranking table – AS40034 Confluence Networks, registered in the Virgin Islands but hosted in the United States.
Download the English report (PDF) here.
New names in new places is sadly not a consistent theme for this quarter as, despite the new #1, the ‘Top 50 Hosts’ table for Q3 2012 has more than a fair share of familiar names holding the top positions. Unlike the new #1 (AS40034 Confluence Networks), AS16138 Interia.pl, the holder of the #2 spot, is a regular at the top of the chart for consistently serving some of the worst types of malicious activity on the web. Offences include large amounts of ‘Current Events’, a mix of the most up-to-date and fast changing attack exploits and vectors.
So why does Interia remain firmly entrenched at the top of the rankings while others come and go? That is a question that only Interia itself can successfully answer. It is also the reason behind a direct appeal to Interia from HE Editor, Jart Armin, who requests a proactive stance against the flow of abuses:
“Changes to your systems and abuse procedures are long overdue. Please prevent further damage from occurring to the unfortunate and long suffering victims of the individuals or gangs who use your services to carry all manner of Internet malpractices.”
An important topic under discussion in the Q3 2012 report is on the subject of ‘open resolvers’, ‘DDoS the World - The Problem with DNS Open & Misconfigured Resolvers’. An area that has yet to fully capture the attention of the media, despite being known about for many years, is the misconfiguration of DNS resolvers or ‘open resolvers’. This can leave powerful resources vulnerable to being hijacked for the purpose of amplifying of DDoS attacks.
DDoS amplification is used far more frequently now and to devastating effect. By amplifying a DDoS attack a targeted website can be overwhelmed by its power causing system failure and service interruption. An additional benefit to the attackers is the masked origin of the attack. For the first time, HE includes data on Autonomous Systems (ASes) and open resolvers. As research continues, more data on this subject will be detailed in future reports.
Similarly, in the country rankings, there have not been large movements. It is disappointing to see that both the United States and Russia have deteriorated since Q2 in their hosts’ overall standings.
An earlier optimism in an improving situation for the United States has proved to be short-lived with an increase in the number of US hosting providers in the Q3 Top 50 – up to 14 from 12 in Q2. For individual hosts in these countries, it has been more of a mixed picture with gains and losses.
The full HE ‘World Hosts Report’ for Q3 2012 - available here - provides more detailed information on all of the topics above, including data on individual categories such as Botnet C&C servers, phishing servers, exploit servers, Zeus botnet hosting, infected websites, spam, current events and badware.
|< Prev||Next >|
Recent Articles by Bryn Thompson :
World Hosts Report - March 2013HostExploit is pleased to present the March 2013 World Hosts Report, in collaboration...
White Paper: The New gTLDs – Security by DesignCyberDefcon has released a new white paper, The New gTLDs – Security...
Familiar Hosts & Open ResolversHostExploit is pleased to present the Q3 2012 World Hosts Report, in collaboration...