Some of the largest web hosting companies in the United States and abroad host more than 500,000 websites individually. These web-hosting companies focus on providing a cost-effective solution for clients to develop and maintain their Internet-facing websites. To protect these websites, these web-hosting companies often use Web-Application-Filters (WAFs) and more traditional firewall-type devices along with password protected (S)FTP access.
Anyone delving into Web-Application Security issues would realize that simply throwing up a bunch of WAFs to deal with code-injection attacks is not the greatest solution. Code injection attacks are constantly evolving because they provide hackers with a great medium with which to deliver malicious code to unsuspecting Internet surfers. It is not because of the lack of effort on part of WAF developers that code injection attacks are not being nipped in the bud, instead it is because this attack vector presents such an attractive medium for hackers to further their nefarious intentions, with comparatively less effort than other more involved hacking techniques.
Bottom line, code injection attacks and signatures are constantly changing. WAFs used by many hosting companies cannot guarantee full protection against them.
Two big reasons it is difficult to protect websites:
At StopTheHacker.com, our approach is to develop systems based on Artificial Intelligence techniques which can learn from attacks and adapt using machine learning to block and identify previously unknown code-injection incidents.
In this article we try to identify how many sites from each of the top few web-hosting companies are currently blacklisted. This gives us an indication of the kind of security being employed and the effectiveness of the systems.
Number of sites blacklisted by hosting company:
Hosting Company Name ASN Sites Blacklisted IX WebHosting 32392 4160 GoDaddy 26496 12648 DreamHost 26347 5636 GigeNet 32181 647 Peer 1 11388 2332 Lunar Pages 15244 3754 iWeb 32613 2161 ThePlanet/HostGator 21844 11347 Bluehost/Hostmonster 11798 6232 LiquidWeb 32244 3113 Leaseweb 16265 2393 Schlund (1&1) 8560 9105 Tele2 Telecommunication GmbH 8437 8229 China Telecom 4812 4919 Inetwork/iEurop 29629 3197 NetworkSolutions 6245 739 RackSpace 33070 698
Clearly, whatever security mechanism are being employed by these hosting companies, they are not enough to stop hordes of their websites falling prey to code-injection attacks and other forms of malicious attacks. Perhaps owners of these large numbers of compromised websites will force web-hosting companies to take a more proactive approach to safe hosting for their clients.
Interestingly, a web-hosting company which focuses on a secure hosting experience maps to ASN 7819, which seems to host 26 malicious sites.
EDIT: On Jan 20 2010, 7:05 AM PST, we received feedback from the webhosting company which focuses on a secure webhosting experience, that the IP ranges mentioned (below) in this article are not used by them to host websites, but are simply the ones that belong to the datacenter they employ. We will be very interested in re-evaluating IP ranges that are used by them to present websites on the Internet.
List of IP addresses associated with ASN 7819 is below:
22.214.171.124/22 126.96.36.199/20 188.8.131.52/21 184.108.40.206/24 220.127.116.11/24 18.104.22.168/24 22.214.171.124/24 126.96.36.199/24 188.8.131.52/24 184.108.40.206/21 220.127.116.11/23 18.104.22.168/24 22.214.171.124/24 126.96.36.199/22 188.8.131.52/24 184.108.40.206/24 220.127.116.11/20 18.104.22.168/24 22.214.171.124/24 126.96.36.199/24 188.8.131.52/24 184.108.40.206/24 220.127.116.11/24 18.104.22.168/24 22.214.171.124/23 126.96.36.199/24 188.8.131.52/24 184.108.40.206/22 220.127.116.11/24 18.104.22.168/24 22.214.171.124/24 126.96.36.199/24 188.8.131.52/24 184.108.40.206/24 220.127.116.11/24 18.104.22.168/20 22.214.171.124/24 126.96.36.199/24 188.8.131.52/24