Abnormally Malicious Autonomous Systems and Their Internet Connectivity
220
IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 20, NO. 1, FEBRUARY 2012
Abnormally Malicious Autonomous Systems and Their Internet Connectivity
Craig A. Shue, Andrew J. Kalafut, and Minaxi Gupta
Abstract—While many attacks are distributed across botnets, investigators and network operators have recently identified malicious networks through high profile autonomous system (AS) depeerings and network shutdowns. In this paper, we explore whether some ASs indeed are safe havens for malicious activity.
We look for ISPs and ASs that exhibit disproportionately high malicious behavior using 10 popular blacklists, plus local spam data, and extensive DNS resolutions based on the contents of the blacklists. We find that some ASs have over 80% of their routable IP address space blacklisted. Yet others account for large fractions of blacklisted IP addresses. Several ASs regularly peer with ASs associated with significant malicious activity. We also find that malicious ASs as a whole differ from benign ones in other properties not obviously related to their malicious activities, such as more frequent connectivity changes with their BGP peers.
Overall, we conclude that examining malicious activity at AS granularity can unearth networks with lax security or those that harbor cybercrime.
Index Terms—Autonomous systems (ASs), security.
I. INTRODUCTION
T
HE INTERNET is plagued by malicious activity, from spam and phishing to malware and denial-of-service (DoS) attacks. Much of it thrives on armies of compromised hosts, or botnets, which are scattered throughout the
Internet. However, malicious activity is not necessarily evenly distributed across the Internet: Some networks may employ lax security, resulting in large populations of compromised machines, while others may tightly secure their network and not have any malicious activity. Furthermore, some networks may exist solely to engage in malicious activity. Several recent
ISP enforcement
IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 20, NO. 1, FEBRUARY 2012
Abnormally Malicious Autonomous Systems and Their Internet Connectivity
Craig A. Shue, Andrew J. Kalafut, and Minaxi Gupta
Abstract—While many attacks are distributed across botnets, investigators and network operators have recently identified malicious networks through high profile autonomous system (AS) depeerings and network shutdowns. In this paper, we explore whether some ASs indeed are safe havens for malicious activity.
We look for ISPs and ASs that exhibit disproportionately high malicious behavior using 10 popular blacklists, plus local spam data, and extensive DNS resolutions based on the contents of the blacklists. We find that some ASs have over 80% of their routable IP address space blacklisted. Yet others account for large fractions of blacklisted IP addresses. Several ASs regularly peer with ASs associated with significant malicious activity. We also find that malicious ASs as a whole differ from benign ones in other properties not obviously related to their malicious activities, such as more frequent connectivity changes with their BGP peers.
Overall, we conclude that examining malicious activity at AS granularity can unearth networks with lax security or those that harbor cybercrime.
Index Terms—Autonomous systems (ASs), security.
I. INTRODUCTION
T
HE INTERNET is plagued by malicious activity, from spam and phishing to malware and denial-of-service (DoS) attacks. Much of it thrives on armies of compromised hosts, or botnets, which are scattered throughout the
Internet. However, malicious activity is not necessarily evenly distributed across the Internet: Some networks may employ lax security, resulting in large populations of compromised machines, while others may tightly secure their network and not have any malicious activity. Furthermore, some networks may exist solely to engage in malicious activity. Several recent
ISP enforcement
References: IEEE/ACM Trans. Netw., vol. 9, no. 6, pp. 733–745, Dec. 2001. IEEE INFOCOM, 2002, vol. 2, pp. 618–627. [20] A. Feldmann, O. Maennel, Z. M. Mao, A. Berger, and B. Maggs, “Locating internet routing instabilities,” in Proc. ACM SIGCOMM, 2004, pp Apr. 2000. [24] R. White, “Securing BGP through secure origin BGP (soBGP),” Internet Protocol J., vol. 6, no. 3, pp. 15–22, 2003. study of spyware on the Web,” in Proc. NDSS, 2006, pp. 17–33.