Fast forward to today, and we see that there are a large number of organizations publish data on the first places online trouble. I interviewed some of the most vigilant of sources of information for their latest data, and put together a rough structure with an indication of the ten most common providers of each of their points of view. [Some remarks on the image below: ISPs or hosts that appear more frequently than others on these lists are color-coded to illustrate the consistency of findings. ISPs in the top of every list of "worst" or largest number of unresolved issues of abuse. "AS" stands for "Autonomous System" and basically numerical way to track the internet service providers and hosting providers. Click image to enlarge it.]
What you find when you start to delve into these various efforts to watch community that networks the name fully or even mostly bad, but they are usually more than their share of the areas that were captured online equivalent of street gangs. The trouble is that all these individual efforts, as a rule, the card provider's reputation from one or several points of view, each of which may be restricted in some way such biases, such as the type of threats that they control. For example, to some extent only, phishing attacks, and focus on other schedules of networks, which act as a host of malware and botnet controllers. Some only take pictures of evil, as opposed to measuring the evil that has persisted in this host for a considerable period of time.
In addition, some organizations that measure the evil limited by their relative level of visibility, or simple geography. That is, while the Internet is a truly global network view of any superintendent of things can be painted in which they are located geographically in the world, or where they often face threats, as well as their level of visibility outside of their immediate horizon.
In February 2009, I delivered a keynote address at the Messaging Anti-Abuse Working Group (MAAWG) conference in San Francisco, where I was invited to speak about the research that preceded Atrivo and McColo stalls. The biggest point I was trying to hammer home in his speech that there is a clear need for authority, the organizing principle was to collect and publish real-time information on the most dangerous Internet. Instead of 15 or 20 different organizations, regardless map provider's reputation, I said, why not create a single entity that is a full working day?
Unfortunately, some of the most clear-cut evil jack online - Troyaks world and other networks, apparently designed from the ground for cyber-criminals - obscured for the most part from the surface of the efforts of data collection is like my simplistic attempt above. For a variety of reasons, such strange and confirming that the level of evil requires a much deeper dive. But even in its most basic, ongoing, public project that cross-correlates the data provider's reputation from a multiplicity of points of view can convince legitimate providers - in particular, the major carriers here in the United States - to do a better job of cleaning their nets.
The following is the first in what I hope will be a series of stories about the various, ongoing efforts to measure ISP reputation, and to ISPs and Web sites that are more responsible for evil in their networks.
Playing with Fire
I first encountered the web approach reputation created by researchers at the University of California, Santa Barbara, after reading a paper written last year on the results of a hijacked network drive-by download sites that are usually leased out for cyber-criminals.Rob Lemos wrote about his work for the MIT Technology Review last fall.
Shortly after Atrivo and McColo outages, UCSB guys started their own web-mapping project called Search Rogue reputation networks, or fire.
Brett Stone-Gross, a Ph.D. candidate in the UCSB Department of Computer Science, said that he and two fellow researchers out there trying to find a provider that has consistently exhibited a bad reputation.
"Networks can be found in the ranking of FIRE are those that show persistent and long-lived malicious behavior," Stone said Gross.
The data that informs fire Top 20 comes with several anti-spam channels, such as Spamcop, PhishTank, and includes data on malware-laden sites of Anubis and Wepawet, open-source software that allows users to scan suspicious files and Websites. Stone-Gross said, scoring is calculated based on the number of commands the bot-network and control centers, phishing and malicious use of servers for drive-by downloads are on those providers, but only if they were placed on this provider for a certain number of days.
"The threshold is about a week. In general, you get points for every server error you have, and it is scaled depending on the size," he said. "We take the inverse size of the network (the approximate number of hosts) and some of his aggregate amount of malicious network activity."
Stone-Gross said, about half of the 20 fairly static. "GigeNET, for example, seems to be the leaders in the conduct of IRC botnets, which is approximately in the case unless we were to follow." GigeNET did not return calls seeking comment.
Even the amount of compensation, FIRE lists some of the largest providers of the world and hosts noticeably at the top (worst) of its badness index. However, the results of fire are consistent with those that measure the evil from other points of view, two major American networks appear again and again, most of these lists: Houston-based ThePlanet.com, and Plano, Texas based Softlayer technologies.
Stone-Gross said the main contribution to the problem of disrepair in many large hosts is the fact that most of them tenants of absentee landlords, some of whom have leased and subleased its space to a band of desperadoes.
"What's going on, they will have perhaps hundreds or even thousands of resellers and those resellers are often sold to other resellers, and so on," he said. "Top vendors do not want to shut them off immediately, because the mediator can have a bad customer in 50, and they are not law enforcement officers, and they do not feel that their work is to implement these things."
Sem Fleitman, chief operating officer at Softlayer, said the company is trying to become more proactive in the fight against abuse of the issues on its network. Fleitman said his team was the abuse of contacts with a number of groups, which measure the website's reputation, to see about getting direct channels of data.
"Most hosting companies are reactive ... Troubleshooting, who told them," Fleitman said. "We want to take the initiative, our aims are identical and therefore we are trying to get this information in an automated way so that we can take care of these things quickly."
Indeed, shortly after the team posted their UCSB Fire statistics online, Softlayer approached by a group to hear proposals to reduce their rating, Stone-Gross said.
"They came to us and said:" We would like to improve that, "so we had to talk to them and gave them a whole bunch of proposals," Stone said Gross. "It's been about three weeks ago, and they have since turned out consistently in the top 3 worst is usually much lower on the list."
That's probably the most unique about the approach of fire and allows users to view not only the amount reported on abuses in the network, but also to expand it in the specific examples and even the schedule of life said examples of abuse over time.
For example, if you click on this link, you will see the reputation of the history of ThePlanet.com. Graphic in the upper right corner shows that, except for a brief period in mid-2009, ThePlanet has been at or at the top of the fire in much of the past 18 months.Stone-Gross said that one space corresponds to the time in April last year when the University server crashed and stopped recording data in a few days.
Click on any historical point in colorful graphs lines in the lower left corner, and you can view the IP-addresses of phishing sites, malware and botnets ThePlanet.com Servers in the same period of time, fixed UCSB.
ThePlanet in Yvonne Donaldson declined to discuss the FIRE facilities, a claim of abuse of longevity, or the prevalence of eight out of ten lists of the reputation that is listed as problematic. In a statement via e-mail Krebs safety, she said only that the company takes security very seriously, and that he takes action against customers who violate its acceptable use policies.
"When we find questions about the real threat, we will notify the appropriate authorities," says Donaldson. "We can also take steps to disable or delete the site and to notify customers if a specific site they are hosting is a violation."