Last week, we announced our IPAbuseCheck lookup tool. We see lots of infected/abusive hosts on the Internet attempting to proxy abusive web transactions through our proxies. Rather than just ignoring these transactions, we’ve decided to provide this lookup utility for security professionals and organizations to query and identify abusive/infected hosts within their networks – based on some feedback, the service has been well received. This follow-up post provides a brief summary of the top offenders that we see in our database to date (July 1 – October 25, 2011).
|ASN by Abusive Clients||ASN by Abusive Transactions|
It was interesting to see some well known organizations like Amazon and Microsoft near the top for organizations that have sent us the most abusive transactions. Rather than these being infected corporate systems, it appears to be a handful of hosting service systems that are being abused either directly from the customer or from an infection. Here is a snapshot of a report from our database of a Microsoft IP that we reported to their Abuse Dept. once we started digging into this data:
Top 5 Abusive Hosts by Date Range
|Host||First Seen||Last Seen||Behavior|
|18.104.22.168||07/01/11 07:00||10/25/11 06:54||Proxy Scanning|
|22.214.171.124||07/01/11 07:00||10/25/11 06:51||Proxy Scanning|
|126.96.36.199||07/01/11 07:06||10/25/11 06:57||Proxy Scanning|
|188.8.131.52||07/01/11 07:07||10/25/11 06:56||Proxy Scanning|
|184.108.40.206||07/01/11 07:08||10/25/11 06:54||Proxy Scanning|
The following table lists the top 5 abusive hosts by transaction count - these tend to be hosts that attempt to forward bulk transactions through proxies, like forum spam and brute-force attempts. Related to the previous section of organizations with the top abusive transactions - you can see that two Amazon EC2 systems (220.127.116.11, 248) are at the top of the list.
Top 5 Abusive Hosts by Transactions
The bulk of the top sites by transaction are forum spam sites - in the top instances, the forums being abused are in Vietnam. One brute-forcing target is in the top 5, which is the Rapidshare file host. The bulk of the top services being used/abused by number of clients are proxy checkers - the Chinese service sina.com.cn was also listed in the top as a spam bot / brute-forcing target.