Profiling Autonomous Systems Hosting Blacklisted Websites
An Autonomous Systems or AS is a routing construct that represents a group of networks under the control of an organization (credit for edit :Max@badwarebusters.org). These form the “structure” of the Internet. These organizations can be thought of as web-hosting companies, large Internet-based companies or resellers of bandwidth and IP addresses. These are usually large organizations for whom simply getting an Internet connection and hosting a company for their website is not enough.
In recent months, the trend of benign websites being affected by code injection clearly show that attacks to inject malware into unsuspecting websites is on the rise. It is important to understand the profile of the ASes which are actually providing transit to infected websites hosted within their systems. Since each AS provides bandwidth and resources supporting the downloading of malware to computers which belong to unsuspecting visitors of a compromised website. ASes, more specifically hosting companies and other network operators (rather than ASes) should play a pivotal role in addressing compromised websites.
At StopTheHacker.com, we have conducted extensive experiments to analyze and profile over 20,000 ASes to identify which ASes are the worst offenders in terms of hosting Blacklisted websites. We have used Google safebrowsing data, also accessible via StopBadware.org, (which sources data from Google and Sunbelt)to identify and trend which ASes are responsible for the proliferation of badware on the Internet. We have correlated AS size with data available from CAIDA to determine whether larger ASes are more at fault or not.
We present some brief results below:
- The average percentage of blacklisted websites in
- Top 10 ASes (according to number of sites noted by Google) is 3.5%
- ASes with Ranks 11-23 (according to number of sites noted by Google) is 3.75%
- ASes with Ranks 24-40 (according to number of sites noted by Google) is 5.01%
- The AS with the highest percentage of blacklisted sites, is AS 16557 (Colo Solutions, Inc.), with close to 60% of 10,000 sites blacklisted.
- The Top 50 ASes, which host more than 10,000 sites each and have at least 6% of websites blacklisted, host 151,000 blacklisted sites, combined.
Interesting observations:
- AS 16557 (Colo Solutions, Inc.), is well known for popping up on blacklists related to peer-to-peer networks [Is someone tracking P2P users]. It seems that this AS, which is not really concerned about P2P traffic emanating from within its systems, traffic which is potentially used to exchange copyrighted material, is also not interested in paying attention to malware infected websites hosted within its networks.
- AS 15169 (Google Inc.), had 590734 sites analyzed and 6046 of them were found to contain malware.
- AS 14173 (Photobucket), had zero sites infected out of 399424 sites analyzed.
- The Largest AS (Level 3 Communications) according to connection degree, see CAIDA’s AS listing, was hosting 571 infected sites out of 136305 sites analyzed by Google.
- AS 7018 (AT&T), was hosting 97 infected sites out of 7947 sites analyzed by Google.
- AS 701 (Verizon), was hosting 117 infected sites out of 7248 sites analyzed by Google.
- AS 1239 (Sprint), was hosting 117 infected sites out of 3958 sites analyzed by Google.
Making Sense of the Results
Below we present some graphs to highlight the percentage of blacklisted websites hosted by the top few ASes. Note that all AS rankings below are based on the number of websites analyzed by Google. An AS with rank 1 hosts more websites, analyzed by Google than an AS with rank 2.
Nearly 50 ASes host at least 600 blacklisted sites each
Top 10 ASes host lage percentages of blacklisted sites
ASes hosting more than 10,000 sites (each having more than 6% infected sites)
Below follows the list of ASes, which host more than 10,000 sites each. Of those, at least 6% (600) are blacklisted by Google. Perhaps more attention needs to be focused on fighting malware from within these ASes. There are quite a few prominent web-hosting companies in this list. Note that all ASes below are ranked based on the number of websites analyzed by Google. An AS which appears earlier in the list hosts more websites, analyzed by Google than an AS which appears later on in the list.
ASN Name 21844 ThePlanet.com Internet Services, Inc. 4837 CNC 11798 Bluehost Inc. US 4812 CABLENETSWISS-HITTNAU Cablenetswiss CH 26347 New Dream Network, LLC US 29629 INETWORK-AS IEUROP AS FR 32244 Liquid Web, Inc. US 16265 LEASEWEB LEASEWEB AS NL 3786 LGDACOM LG DACOM Corporation KR 3595 Global Net Access, LLC US 32392 Ecommerce Corporation US 32613 iWeb Technologies Inc. CA 4847 CNIX 33182 HostDime.com, Inc. US 21788 Network Operations Center Inc. US 38356 TIMENET BeiJing Sincerity-times Network Technology Project Ltd. CN 15244 Lunar Pages US 25074 INETBONE-AS INET-People Provider Services DE 25532 MASTERHOST-AS .masterhost autonomous system RU 30496 Colo4Dallas LP US 12824 HOMEPL-AS home.pl autonomous system PL 9929 CNCNET-CN China Netcom Corp. CN 28753 NETDIRECT AS NETDIRECT Frankfurt, DE 11388 Peer 1 Dedicated Hosting US 9121 TTNET TTnet Autonomous System TR 13237 LAMBDANET-AS European Backbone of LambdaNet EU 9931 CAT-AP The Communication Authoity of Thailand, CAT TH 46475 Limestone Networks, Inc. US 29671 SERVAGE Servage GmbH DE 15685 Casablanca INT Autonomous system CZ 39392 SUPERNETWORK-AS SuperNetwork s.r.o. CZ 8342 RTCOMM-AS RTComm.RU Autonomous System RU 34104 TELETEK-AS TELETEK TELEKOMINIKASYON HIZMETLERI A.S TR 42910 SADECEHOSTING-COM Sadecehosting-Com TR 8358 INTERWARE-AS InterWare Autonomus System HU 25653 FortressITX US 26277 A+ Hosting, Inc. US 12363 DADA-AS DADA S.p.a. IT 23352 Server Central Network US 17964 DXTNET Beijing Dian-Xin-Tong Network Technologies Co., Ltd. CN 24400 CMNET-V4SHANGHAI-AS-AP Shanghai Mobile Communications Co.,Ltd. CN 30176 Priority Colo CA 4750 CSLOXINFO-ISP-AS-AP CSLOXINFO Public Company Limited. TH 32181 GigeNET US 27823 Dattatec.com AR 16557 Colo Solutions, Inc. US 5617 TPNET Polish Telecom's commercial IP network PL 39561 AGAVA Agava JSC AS number RU 19318 NEW JERSEY INTERNATIONAL INTERNET EXCHANGE LLC US 9848 GNGAS Enterprise Networks KR
How long does it take for a malware-infested site to get removed from the blacklists you specify? What exactly are your methods for compiling the list?
I work for one of the companies in the top 10 in your list and it’s simply a lie to say that more than more than 6% of the sites on our network host malware. We have an excellent security team and we typically delete malware or suspend malware-hosting accounts within hours of notice.
A site can be removed from Google’s blacklist in anywhere between 10 minutes and a few hours (depending on the load they are facing). However, some sites remain blacklisted for weeks because they do not clean up their act before requesting multiple re-scans.
You may have an excellent security team but sites you host are still being compromised. your comment implies that. It is good to know that your team is responsive.
If you would like a re-examination of your IP ranges/ASN please contact us and we will re-run our tests to give you a better idea of whats going on.
We at stopthehacker.com do not blacklist your sites or anyone’s site for that matter (at least not to date). The blacklist information is available, publicly, using Google’s Safe Browsing data.
If you have further concerns, please let us know.
Complain about very bad and unethical provider. http://www.hostingmatters.com