• Profiling Autonomous Systems Hosting Blacklisted Websites

    An Autonomous Systems or AS is a routing construct that represents a group of networks under the control of an organization (credit for edit :Max@badwarebusters.org). These form the “structure” of the Internet. These organizations can be thought of as web-hosting companies, large Internet-based companies or resellers of bandwidth and IP addresses. These are usually large organizations for whom simply getting an Internet connection and hosting a company for their website is not enough.

    In recent months, the trend of benign websites being affected by code injection clearly show that attacks to inject malware into unsuspecting websites is on the rise. It is important to understand the profile of the ASes which are actually providing transit to infected websites hosted within their systems. Since each AS provides bandwidth and resources supporting the downloading of malware to computers which belong to unsuspecting visitors of a compromised website. ASes, more specifically hosting companies and other network operators (rather than ASes) should play a pivotal role in addressing compromised websites.

    At StopTheHacker.com, we have conducted extensive experiments to analyze and profile over 20,000 ASes to identify which ASes are the worst offenders in terms of hosting Blacklisted websites.  We have used Google safebrowsing data, also accessible via StopBadware.org, (which sources data from Google and Sunbelt)to identify and trend which ASes are responsible for the proliferation of badware on the Internet. We have correlated AS size with data available from CAIDA to determine whether larger ASes are more at fault or not.

    We present some brief results below:

    1. The average percentage of blacklisted websites in
      • Top 10 ASes (according to number of sites noted by Google) is 3.5%
      • ASes with Ranks 11-23 (according to number of sites noted by Google) is 3.75%
      • ASes with Ranks 24-40 (according to number of sites noted by Google) is 5.01%
    2. The AS with the highest percentage of blacklisted sites, is AS 16557 (Colo Solutions, Inc.), with close to 60% of 10,000 sites blacklisted.
    3. The Top 50 ASes, which host more than 10,000 sites each and have at least 6% of websites blacklisted, host 151,000 blacklisted sites, combined.

    Interesting observations:

    1. AS 16557 (Colo Solutions, Inc.), is well known for popping up on blacklists related to peer-to-peer networks [Is someone tracking P2P users]. It seems that this AS, which is not really concerned about P2P traffic emanating from within its systems, traffic which is potentially used to exchange copyrighted material, is also not interested in paying attention to malware infected websites hosted within its networks.
    2. AS 15169 (Google Inc.), had 590734 sites analyzed and 6046 of them were found to contain malware.
    3. AS 14173 (Photobucket), had zero sites infected out of 399424 sites analyzed.
    4. The Largest AS (Level 3 Communications) according to connection degree, see CAIDA’s AS listing, was hosting 571 infected sites out of 136305 sites analyzed by Google.
    5. AS 7018 (AT&T), was hosting 97 infected sites out of 7947 sites analyzed by Google.
    6. AS 701 (Verizon), was hosting 117 infected sites out of 7248 sites analyzed by Google.
    7. AS 1239 (Sprint), was hosting 117 infected sites out of 3958 sites analyzed by Google.

    Making Sense of the Results

    Below we present some graphs to highlight the percentage of blacklisted websites hosted by the top few ASes. Note that all AS rankings below are based on the number of websites analyzed by Google. An AS with rank 1 hosts more websites, analyzed by Google than an AS with rank 2.

    ASes hosting more than 10,000 sites (each having more than 6% infected sites)

    Below follows the list of ASes, which host more than 10,000 sites each. Of those, at least 6% (600) are blacklisted by Google. Perhaps more attention needs to be focused on fighting malware from within these ASes. There are quite a few prominent web-hosting companies in this list. Note that all ASes below are ranked based on the number of websites analyzed by Google. An AS which appears earlier in the list hosts more websites, analyzed by Google than an AS which appears later on in the list.

    ASN             Name
    21844           ThePlanet.com Internet Services, Inc.
    4837            CNC
    11798           Bluehost Inc. US
    4812            CABLENETSWISS-HITTNAU Cablenetswiss	CH
    26347           New Dream Network, LLC	US
    29629           INETWORK-AS IEUROP AS	FR
    32244           Liquid Web, Inc.	US
    16265           LEASEWEB LEASEWEB AS	NL
    3786            LGDACOM LG DACOM Corporation	KR
    3595            Global Net Access, LLC	US
    32392           Ecommerce Corporation	US
    32613           iWeb Technologies Inc.	CA
    4847            CNIX
    33182           HostDime.com, Inc.	US
    21788           Network Operations Center Inc.	US
    38356           TIMENET BeiJing Sincerity-times Network Technology Project Ltd.	CN
    15244           Lunar Pages	US
    25074           INETBONE-AS INET-People Provider Services	DE
    25532           MASTERHOST-AS .masterhost autonomous system	RU
    30496           Colo4Dallas LP	US
    12824           HOMEPL-AS home.pl autonomous system	PL
    9929            CNCNET-CN China Netcom Corp.	CN
    28753           NETDIRECT AS NETDIRECT Frankfurt, DE
    11388           Peer 1 Dedicated Hosting	US
    9121            TTNET TTnet Autonomous System	TR
    13237           LAMBDANET-AS European Backbone of LambdaNet	EU
    9931            CAT-AP The Communication Authoity of Thailand, CAT	TH
    46475           Limestone Networks, Inc.	US
    29671           SERVAGE Servage GmbH	DE
    15685           Casablanca INT Autonomous system	CZ
    39392           SUPERNETWORK-AS SuperNetwork s.r.o.	CZ
    8342            RTCOMM-AS RTComm.RU Autonomous System	RU
    34104           TELETEK-AS TELETEK TELEKOMINIKASYON HIZMETLERI A.S	TR
    42910           SADECEHOSTING-COM Sadecehosting-Com	TR
    8358            INTERWARE-AS InterWare Autonomus System	HU
    25653           FortressITX	US
    26277           A+ Hosting, Inc.	US
    12363           DADA-AS DADA S.p.a.	IT
    23352           Server Central Network	US
    17964           DXTNET Beijing Dian-Xin-Tong Network Technologies Co., Ltd.	CN
    24400           CMNET-V4SHANGHAI-AS-AP Shanghai Mobile Communications Co.,Ltd.	CN
    30176           Priority Colo	CA
    4750            CSLOXINFO-ISP-AS-AP CSLOXINFO Public Company Limited.	TH
    32181           GigeNET	US
    27823           Dattatec.com	AR
    16557           Colo Solutions, Inc.	US
    5617            TPNET Polish Telecom's commercial IP network	PL
    39561           AGAVA Agava JSC AS number	RU
    19318           NEW JERSEY INTERNATIONAL INTERNET EXCHANGE LLC	US
    9848            GNGAS Enterprise Networks	KR
    
    • […] internet conglomerate has already indicated it plans … market research, surveys and trends Profiling Autonomous Systems Hosting Blacklisted Websites … Autonomous Systems or ASes are organizations which form the “structure” of the […]

      Posted by Network Operations Center – Topic Research, Trends and Surveys on February 3rd

    • How long does it take for a malware-infested site to get removed from the blacklists you specify? What exactly are your methods for compiling the list?

      I work for one of the companies in the top 10 in your list and it’s simply a lie to say that more than more than 6% of the sites on our network host malware. We have an excellent security team and we typically delete malware or suspend malware-hosting accounts within hours of notice.

      Posted by Anon on February 17th

    • A site can be removed from Google’s blacklist in anywhere between 10 minutes and a few hours (depending on the load they are facing). However, some sites remain blacklisted for weeks because they do not clean up their act before requesting multiple re-scans.

      You may have an excellent security team but sites you host are still being compromised. your comment implies that. It is good to know that your team is responsive.

      If you would like a re-examination of your IP ranges/ASN please contact us and we will re-run our tests to give you a better idea of whats going on.

      We at stopthehacker.com do not blacklist your sites or anyone’s site for that matter (at least not to date). The blacklist information is available, publicly, using Google’s Safe Browsing data.

      If you have further concerns, please let us know.

      Posted by anirban on February 18th

    • Complain about very bad and unethical provider. http://www.hostingmatters.com

      Posted by John on November 3rd