The researchers tried to avoid penalizing large network providers unfairly by examining the percentage of an ISP’s Internet addresses that showed up in each individual badness data set. Other approaches identify problem networks based on the number of blacklisted addresses for a given ISP, and this method usually points to the world’s largest ISPs, the majority of which are in the United States.
The researchers also sought to identify ISPs and hosting providers that had a disproportionate number of network peers that were malicious. For this measurement, they focused on ISPs with at least three such partner networks. They found 22 networks that had 100 percent of their customers classified as malicious, while some 194 networks had at least 50 percent of their customers fall into that category.
Last week, a Russian ISP named Troyak was disconnected from the Internet after its upstream providers pulled the plug on it. Researchers found that Troyak served several different hosting providers that collectively were home to command and control (C&Cs) networks for more than 60 “Zeus” botnets–huge groupings of zombie PCs that provide criminals a constant flow of stolen financial data, such as online banking credentials.
On March 9, Troyak was briefly knocked offline before finding another upstream ISP to take it on. This cat-and-mouse game was repeated five times over the next three days.
Roman Hussey, a Swiss information technology expert who maintains a site called Zeustracker, which tracks Zeus botnet C&Cs around the globe, says it’s important to collect and publicly highlight information about malicious ISPs. Not only does that help draw attention to and isolate malicious hosts, he said, it also helps inform the media.
“Troyak has had some troubles getting back online again, and it’s largely because of the media hype,” Hussey says. Because of that hype, “every ISP knows who Troyak is, and now won’t peer with them.”
But Alex Lanstein, a senior security researcher at Fireeye, a Milpitas, CA-based security firm that has participated in several botnet and malicious ISP takedown efforts, says many security firms do not want to share information publicly for competitive reasons.
And there are important strategic reasons to keep certain types of threat intelligence close to the vest, Lanstein says. “Some security companies block specific hosts or ISPs for their customers, but don’t tell anyone else, so that the [malicious network owners] don’t know they’re being blocked,” Lanstein said.
He pointed to a writeup the company published in September 2009 about an ISP in Ukraine. “When I posted that, literally a day later they completely stopped using the Internet address blocks we wrote about,” Lanstein says. “As soon as they know they’re on a major blacklist, they often will ditch the Internet address blocks that are being blocked,” and move their operations to less tainted address space.