• Large Webhosts: How Serious About Security Are They?

    Some of the largest web hosting companies in the United States and abroad host more than 500,000 websites individually. These web-hosting companies focus on providing a cost-effective solution for clients to develop and maintain their Internet-facing websites. To protect these websites, these web-hosting companies often use Web-Application-Filters (WAFs) and more traditional firewall-type devices along with password protected (S)FTP access.

    Anyone delving into Web-Application Security issues would realize that simply throwing up a bunch of WAFs to deal with code-injection attacks is not the greatest solution. Code injection attacks are constantly evolving because they provide hackers with a great medium with which to deliver malicious code to unsuspecting Internet surfers. It is not because of the lack of effort on part of WAF developers that code injection attacks are not being nipped in the bud, instead it is because this attack vector presents such an attractive medium for hackers to further their nefarious intentions, with comparatively less effort than other more involved hacking techniques.

    Bottom line, code injection attacks and signatures are constantly changing. WAFs used by many hosting companies cannot guarantee full protection against them.

    Two big reasons it is difficult to protect websites:

    1. You can only protect against what you know about
    2. WAFs are not self-learning and self-tuning

    At StopTheHacker.com, our approach is to develop systems based on Artificial Intelligence techniques which can learn from attacks and adapt using machine learning to block and identify previously unknown code-injection incidents.

    In this article we try to identify how many sites from each of the top few web-hosting companies are currently blacklisted. This gives us an indication of the kind of security being employed and the effectiveness of the systems.

    This test was conducted on January 19, 2010. The AS data was mined from CAIDA and was correlated with Google Safe Browsing data.

    Number of sites blacklisted by hosting company:

    Hosting Company Name           ASN  Sites Blacklisted
    IX WebHosting                32392               4160
    GoDaddy                      26496              12648
    DreamHost                    26347               5636
    GigeNet                      32181                647
    Peer 1                       11388               2332
    Lunar Pages                  15244               3754
    iWeb                         32613               2161
    ThePlanet/HostGator          21844              11347
    Bluehost/Hostmonster         11798               6232
    LiquidWeb                    32244               3113
    Leaseweb                     16265               2393
    Schlund (1&1)                 8560               9105
    Tele2 Telecommunication GmbH  8437               8229
    China Telecom                 4812               4919
    Inetwork/iEurop              29629               3197
    NetworkSolutions              6245                739
    RackSpace                    33070                698

    Clearly, whatever security mechanism are being employed by these hosting companies, they are not enough to stop hordes of their websites falling prey to code-injection attacks and other forms of malicious attacks. Perhaps owners of these large numbers of compromised websites will force web-hosting companies to take a more proactive approach to safe hosting for their clients.

    Interestingly, a web-hosting company which focuses on a secure hosting experience maps to ASN 7819, which seems to host 26 malicious sites.

    EDIT: On Jan 20 2010, 7:05 AM PST, we received feedback from the webhosting company which focuses on a secure webhosting experience, that the IP ranges mentioned (below)  in this article are not used by them to host websites, but are simply the ones that belong to the datacenter they employ.  We will be very interested in re-evaluating IP ranges that are used by them to present websites on the Internet.

    List of IP addresses associated with ASN 7819 is below: