Abnormally Malicious Autonomous Systems and Their Internet Connectivity

While many attacks are distributed across botnets, investigators and network operators have recently identified malicious networks through high profile autonomous system (AS) depeerings and network shutdowns. In this paper, we explore whether some ASs indeed are safe havens for malicious activity. We look for ISPs and ASs that exhibit disproportionately high malicious behavior using 10 popular blacklists, plus local spam data, and extensive DNS resolutions based on the contents of the blacklists. We find that some ASs have over 80% of their routable IP address space blacklisted. Yet others account for large fractions of blacklisted IP addresses. Several ASs regularly peer with ASs associated with significant malicious activity. We also find that malicious ASs as a whole differ from benign ones in other properties not obviously related to their malicious activities, such as more frequent connectivity changes with their BGP peers. Overall, we conclude that examining malicious activity at AS granularity can unearth networks with lax security or those that harbor cybercrime.

[1]  Steven D. Gribble,et al.  A Crawler-based Study of Spyware in the Web , 2006, NDSS.

[2]  Randy Bush,et al.  iSPY: Detecting IP Prefix Hijacking on My Own , 2008, IEEE/ACM Transactions on Networking.

[3]  Nick Feamster,et al.  Dynamics of Online Scam Hosting Infrastructure , 2009, PAM.

[4]  Kevin C. Almeroth,et al.  FIRE: FInding Rogue nEtworks , 2009, 2009 Annual Computer Security Applications Conference.

[5]  Yin Zhang,et al.  BGP routing stability of popular destinations , 2002, IMW '02.

[6]  Anja Feldmann,et al.  Locating internet routing instabilities , 2004, SIGCOMM '04.

[7]  Minaxi Gupta,et al.  Phishing Infrastructure Fluxes All the Way , 2009, IEEE Security & Privacy.

[8]  Lixin Gao On inferring autonomous system relationships in the internet , 2001, TNET.

[9]  Stephen T. Kent,et al.  Secure Border Gateway Protocol (S-BGP) , 2000, IEEE Journal on Selected Areas in Communications.

[10]  Thomas Erlebach,et al.  Computing the types of the relationships between autonomous systems , 2007, IEEE/ACM Trans. Netw..

[11]  Nick Feamster,et al.  Understanding the network-level behavior of spammers , 2006, SIGCOMM.

[12]  Dmitri V. Krioukov,et al.  AS relationships: inference and validation , 2006, CCRV.

[13]  Zhuoqing Morley Mao,et al.  Practical defenses against BGP prefix hijacking , 2007, CoNEXT '07.

[14]  Zhuoqing Morley Mao,et al.  Accurate Real-time Identification of IP Prefix Hijacking , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[15]  Giuseppe Di Battista,et al.  Computing the types of the relationships between autonomous systems , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[16]  Randy H. Katz,et al.  Characterizing the Internet hierarchy from multiple vantage points , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[17]  Niels Provos,et al.  All Your iFRAMEs Point to Us , 2008, USENIX Security Symposium.