The$Reputaon$of$Networks$– LACNIC$Region$ · The$Reputaon$of$Networks$– LACNIC$Region$ Manish$Karir,$Kyle$Creyts$ (MeritNetwork$Inc)$ Arturo$Servin$ (LACNIC)$

The Reputa*on of Networks – LACNIC Region

Manish Karir, Kyle Creyts (Merit Network Inc)

Arturo Servin (LACNIC)

Outline

•  Goal •  Background: IPv4 address alloca*on distribu*on in LACNIC, commonly used blocklists

•  Analysis –  foreach(country, asn, bgp prefix)

•  SPAM Lists Distribu*on •  Malware/Phishing Lists Distribu*on •  Ac*ve Malicious Ac*vity Lists •  Highlight points of interest in data

•  Network Reputa*on Discussion

Common Reputa*on Block Lists (RBLs)

•  RBLs are mostly lists of IP addresses of domains that have been observed to par*cipate in suspicious behavior

•  RBLs can be clustered by type of ac*vity on which it is based: –  SPAM Lists: SPAMHAUS(CBL), BRBL, SpamCop, wpbl,

UCEPROTECT –  Malware/Phishing hostsing: SURBL (mul*), phishtank, hpHosts –  Ac*ve ATack Behavior: Darknet Scanner (merit), Dshield, ssh

brute-‐force (fail2ban, denyhosts) •  Our goal is to analyze rela*ve distribu*on of hosts on these

lists to determine if there are some common traits that can broadly characterize the observed rela*ve malicious ac*vity origina*ng from a country, ASN, and prefix

LACNIC Address Space Distribu*on by Country

•  Roughly 454K/24 blocks allocated ~ 116M IP addresses

•  Brazil, Mexico, and Argen*na together account for almost 75% of all alloca*ons

0 5 10 15 20 25 30 35 40 45 50

BR MX AR CO CL VE PE CR EC PA UY DO GT SV BO TT PY AN NI HN HT CU BZ SR GY AW GF

Millions

Total IP Address Alloca2on

BR; 40%

MX; 22%

AR; 11%

CO; 6%

CL; 6%

VE; 4%

PE; 2%

CR; 2% EC; 1%

PA; 1% UY; 1% DO; 1% GT; 0% SV; 0% BO; 0% TT; 0% PY; 0% AN; 0% NI; 0% HN; 0% HT; 0% CU; 0% BZ; 0% SR; 0% GY; 0% AW; 0% GF; 0%

total

SPAM Lists Distribu*on Analysis

•  Consider 3 largest/most popular SPAM Lists: –  Barracuda BRBL –  SPAMHAUS – CBL –  SpamCop – Other SPAM data sources as well such as weighted private block list (wpbl), UCEPROTECT also analyzed but omiTed here due to similarity

•  Determine por*ons of those lists relevant to the LACNIC region

•  Determine rela*ve distribu*on by country within LACNIC region

SPAM Lists Distribu*on by Country

List Total IPs LACNIC IPs

Barracuda 128M 22.7M (17%)

SPAMHAUS CBL 8.1M 1M (12%)

SpamCop 325K 28K (8%)

BR; 50%

MX; 8%

AR; 12%

CO; 11%

CL; 7%

VE; 2%

PE; 3%

CR; 0% EC; 0%

PA; 0% UY; 1% DO; 2% GT; 1% SV; 1% BO; 0% TT; 0% PY; 0% AN; 0% NI; 0% HN; 0% HT; 0% CU; 0% BZ; 0% SR; 0% GY; 0% AW; 0% GF; 0%

BRBL

BR; 46%

MX; 4%

AR; 10%

CO; 9%

CL; 7%

VE; 4% PE; 8%

CR; 0% EC; 0%

PA; 0%

UY; 2% DO; 7%

GT; 1%

SV; 0% BO; 2% TT; 0% PY; 0% AN; 0% NI; 0% HN; 0% HT; 0% CU; 0% BZ; 0% SR; 0% GY; 0% AW; 0% GF; 0%

CBL

BR; 54%

MX; 3%

AR; 9%

CO; 9%

CL; 4%

VE; 2%

PE; 6%

CR; 1%

EC; 0%

PA; 0%

UY; 1% DO; 6%

GT; 1%

SV; 0% BO; 2% TT; 0% PY; 0% AN; 0% NI; 0% HN; 0% HT; 0% CU; 0% BZ; 0% SR; 0% GY; 0% AW; 0% GF; 0%

spamcop

SPAM List Rela*ve Distribu*on

•  In general: countries with larger alloca*ons have more entries in block lists – expected if you assume infec*on rates are a steady fact of life and on average x% of any given IP address range will be on a block list

•  But what happens when we look at block list entries rela*ve to alloca*on sizes

•  We should look at both the large and the small ends of alloca*on spectrum

Rela*ve SPAM List Distribu*on by Country

Barracuda Reputa*on Block List

Percen

tage of A

ddress Space

0

5

10

15

20

25

30

35

40

45

50

0

2

4

6

8

10

12


Millions

Millions

0

5

10

15

20

25

30

35

40

45

50

0

0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

0.45

0.5


Millions

Rela*ve BRBL

Rela*ve SPAM List Distribu*on by Country

Percen

tage of A

ddress Space

CBL

Rela*ve CBL

0

5

10

15

20

25

30

35

40

45

50

0

0.01

0.02

0.03

0.04

0.05

0.06

0.07

0.08

0.09


Millions

0

5

10

15

20

25

30

35

40

45

50

0

50

100

150

200

250

300

350

400

450

500


Millions

Thou

sand

s

SPAM List Discussion •  All networks are not created equal when it comes to entries on a

SPAM list •  Interes*ng things to no*ce:

–  Almost 45% of Dominican Republic is on BRBL –  Almost 35% of Uruguay is on BRBL –  Almost 25% of Brazil is on BRBL but that is 11M IPs –  More than half of the countries have greater than 10% of their IP

addresses on BRBL –  Only 6% of Mexico IP address space is on BRBL which which is

uncharacteris*cally low –  CBL stats are lower in terms of absolute numbers but rela*ve trends

are consistent

•  What accounts for these regional varia*ons? Local policy? Connec*vity? Network topology?

Malware/Phishing Lists Distribu*on Analysis

•  Consider 3 common malware/phishing Lists: –  SURBL –  hpHosts –  phishtank – Other popular data sources as well such as malwaredomains and malwaredomainsList are included in the SURBL-‐mul* dataset.

•  Determine por*ons of those lists relevant to the LACNIC region

•  Determine rela*ve country distribu*on within LACNIC region

Malware/Phishing Lists by Country


SURBL 360K 3K (<1%)

Hphosts 185K 2K (<2%)

Phishtank 4700 124 (< 3%)

BR; 20%

MX; 0%

AR; 38% CO; 9% CL; 2%

VE; 0%

PE; 0%

CR; 0%

EC; 0%

PA; 28%

UY; 0% DO; 0% GT; 0% SV; 0% BO; 0% TT; 0%

PY; 0%

AN; 1% NI; 2% HN; 0% HT; 0% CU; 0% BZ; 0% SR; 0% GY; 0% AW; 0% GF; 0%

surbl

BR; 83%

MX; 1%

AR; 8%

CO; 1% CL; 2%

VE; 0% PE; 0%

CR; 0% EC; 0% PA; 3%

UY; 0% DO; 0% GT; 0% SV; 0%

BO; 0%

TT; 0% PY; 0%

AN; 2%

NI; 0% HN; 0% HT; 0% CU; 0% BZ; 0% SR; 0% GY; 0% AW; 0% GF; 0%

hphosts

BR; 89%

MX; 1%

AR; 3% CO; 2% CL; 4% VE; 0% PE; 1% CR; 0% EC; 0% PA; 1% UY; 0% DO; 0% GT; 0% SV; 0% BO; 0% TT; 0% PY; 0% AN; 0% NI; 0% HN; 0% HT; 0% CU; 0% BZ; 0% SR; 0% GY; 0% AW; 0% GF; 0%

phishtank

Malware/Phishing Discussion

•  In general, LACNIC region ac*vity on malware/phishing lists is uncharacteris*cally low

•  Argen*na rela*vely higher percentage of Malware/Phishing listed domains ~ 40% of all LACNIC region domains on SURBL list.

•  Panama and Brazil account for another 30% and 20% of SURBL list respec*vely. All others much smaller numbers

•  Brazil accounts for >80% of entries on hpHosts and phishtank.

Ac*ve Malicious Ac*vity by Country BR; 0% MX; 0% AR; 0% CO; 0% CL; 0% VE; 0% PE; 0% CR; 0% EC; 0%

PA; 100%

UY; 0% DO; 0% GT; 0% SV; 0% BO; 0% TT; 0% PY; 0% AN; 0% NI; 0% HN; 0% HT; 0% CU; 0% BZ; 0% SR; 0% GY; 0% AW; 0% GF; 0%

zeus

BR; 56%

MX; 6%

AR; 13%

CO; 6%

CL; 5%

VE; 4%

PE; 3%

CR; 0% EC; 1% PA; 0%

UY; 2% DO; 2% GT; 1% SV; 0% BO; 1% TT; 0% PY; 0% AN; 0% NI; 0% HN; 0% HT; 0% CU; 0% BZ; 0% SR; 0% GY; 0% AW; 0% GF; 0%

dshield

BR; 64%

MX; 2%

AR; 17%

CO; 4%

CL; 4%

VE; 4%

PE; 0%

CR; 0% EC; 0% PA; 0% UY; 3% DO; 0% GT; 0% SV; 0% BO; 0% TT; 0% PY; 0% AN; 0% NI; 0% HN; 0% HT; 0% CU; 0% BZ; 0% SR; 0% GY; 0% AW; 0% GF; 0%

Darknet Scanning

BR; 22%

MX; 6%

AR; 16%

CO; 15%

CL; 18%

VE; 8%

PE; 4%

CR; 2% EC; 2%

PA; 4%

UY; 1%

DO; 1% GT; 1% SV; 0% BO; 0% TT; 0% PY; 0% AN; 0% NI; 0% HN; 0% HT; 0% CU; 0% BZ; 0% SR; 0% GY; 0% AW; 0% GF; 0%

Ssh brute-‐force

Ac*ve Malicious Ac*vity Discussion

•  Brazil is ~ 65% of darknet scanning ac*vity from LACNIC region, Argen*na is almost 17% but Mexico is only 2%

•  Chile is 18% of ssh brute-‐force list and Columbia is 15% same as Argen*na which is 16% while Brazil is only 22%


ssh brute-‐force

68K 11.6K (17%)

Dshield 754K 61K (8%)

Darknet Scanning

156K 28K (17%)

Zeus 215 1 (0%)

Address Distribu*on by ASN

•  Roughly 1100 ASNs in use in LACNIC region •  They account for roughly 31K of prefixes in the BGP rou*ng table (total 360K entries)

•  A total of 130M IPs •  We focus on the largest 100 ASNs

0

2

4

6

8

10

12

14

8151

7738

28573

8167

27699

4230

18881

8048

26599

26615

22047

11556

10318

22927

10429

7303

22085

6503

10620

10481

6147

6057

19429

11830

14522

3816

13999

13489

7418

1916

12252

11664

6471

27747

6458

11172

17379

22833

5639

7162

6306

26611

2715

11888

16735

15180

6332

19037

14259

Millions

total

Top 10 ASNs by Size ASN Name IP Addresses

8151 Uninet S.A. de C.V. 12M (9%)

7738 Telecomunicacoes da Bahia S.A.

12M (9%)

28573 NET Servicos de Comunicao S.A.

7M (5.3%)

8167

TELESC -‐ Telecomunicacoes de Santa Catarina SA

6M (4.6%)

27699 TELECOMUNICACOES DE SAO PAULO S/A -‐ TELESP

4.8M (3.7%)

4230 Embratel 3.7M (2.8%)

18881 Global Village Telecom 3.3M (2.5%)

8048 CANTV Servicios, Venezuela

3.2M (2.4%)

26599 Telesp Celular S.A. 2.8M (2.1%)

26615 Tim Celular S.A. 2.6M (2%)

SPAM List IP Distribu*on by ASN BRBL

Rela*ve BRBL

8151

7738

28573

4230 0

2

4

6

8

10

12

14

0

1

2

3

4

5

6

7

8

8151

28573

27699

18881

26599

22047

10318

10429

22085

10620

6147

19429

14522

13999

7418

12252

6471

6458

17379

5639

6306

2715

16735

6332

14259

23201

27925

1251

6505

27921

27947

21575

6429

14571

16814

20312

10954

14080

3790

16629

10715

13878

20191

22689

27889

28548

14754

27831

278

7137

Millions

Millions

Telecomunicacoes da Bahia S.A.

Uninet S.A. de C.V.

NET Servicos de Comunicao S.A

Embratel

7738 27699

4230

26599 7418 6458

19037

6400

28548

0

2

4

6

8

10

12

14

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

8151

28573

27699

18881

26599

22047

10318

10429

22085

10620

6147

19429

14522

13999

7418

12252

6471

6458

17379

5639

6306

2715

16735

6332

14259

23201

27925

1251

6505

27921

27947

21575

6429

14571

16814

20312

10954

14080

3790

16629

10715

13878

20191

22689

27889

28548

14754

27831

278

7137

Cablevision, S.A. de C.V.

Telesp Celular S.A.

Telecomunicacoes da Bahia S.A. TELEFÓNICA CHILE S.A.

Telgua

TELECOMUNICACOES DE SAO PAULO

CTI Compania de Telefonas

SPAM List IP Address Distribu*on by ASN Discussion

•  Top 10 network AS7738 -‐ Telecomunicacoes da Bahia S.A. accounts for over 7M IPs on BRBL which is over 60% of its total address space

•  AS 8151-‐ Uninet S.A. de C.V and AS7738 -‐ Telecomunicacoes da Bahia S.A. both have almost same amount of amount of address space 11M IPs yet AS 8151 has only 1M addresses on BRBL

•  AS28548 -‐ Cablevision, S.A. de C.V. is almost en*rely on BRBL

•  18 of the largest 100 ASNs have more than 50% of their address space on the BRBL

•  AS4230 – Embratel has over 3M IPs but rela*vely negligible number of entries on BRBL

ASN IP Blocklis*ng Distribu*on

•  Top 1000 ASNs with largest percentage of their networks on SPAM blocklists

•  Almost 100 ASNs have atleast 20% of their IPs on BRBL

•  Almost 40 ASNs have atleast 2% of their IPs on CBL

CBL

BRBL

0

2

4

6

8

10

12

14

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

1 35

69

103

137

171

205

239

273

307

341

375

409

443

477

511

545

579

613

647

681

715

749

783

817

851

885

919

Millions

0

2

4

6

8

10

12

14

0

0.02

0.04

0.06

0.08

0.1

0.12

0.14

0.16

1 38

75

112

149

186

223

260

297

334

371

408

445

482

519

556

593

630

667

704

741

778

815

852

889

926

963

Malware/Phishing Domains Distribu*on by ASN

•  AS26608 -‐ SkyOnline de Argen*na, represents 35% of SURBL LACNIC region entries and 43% of hphosts entries

•  AS 52239 -‐ Desarrollos Digitales is the next highest contributor with 12% and 14%

•  AS 282997 -‐ CYBERWEB is almost 56% of LACNIC region phishtank entries. and AS7162 Itanet – is 20% of phishtank entries

•  Consistency across surbl and hpHosts entries but different ASN with phishtank

26608; 35%

52239; 12%

7162; 7% 28299; 5%

28636; 5%

28639; 3% 16397; 2%

27715; 2%

16814; 2% 28271; 2%

10429; 2%

52236; 2% 20207; 2%

27823; 2%

14259; 2%

27664; 1% 26505; 1%

7738; 1%

18479; 1% 16629; 1%

18881; 1%

28666; 1% 7303;

1%

10318; 1% 25933; 1% 8167; 0% 3816; 0% 52302; 0% 22047; 0% 4230; 0% 27956; 0% 17379; 0% 21599; 0% 10481; 0% 11664; 0% 28286; 0% 26105; 0% 27990; 0% 3790; 0% 26592; 0% 6429; 0% 6147; 0% 19182; 0% 8151; 0% 22566; 0% 14463; 0% 28576; 0% 28669; 0% 19089; 0% 23201; 0% 11419; 0% 52270; 0% 28630; 0% 16973; 0% 13489; 0% 10617; 0% 23106; 0% 28509; 0% 11835; 0% 6503; 0% 11830; 0% 16735; 0% 28111; 0% 22724; 0% 14080; 0% 16849; 0% 28373; 0% 28546; 0% 27779; 0% 13591; 0% 11432; 0% 15180; 0% 27876; 0% 10733; 0% 28548; 0% 27695; 0% 10299; 0% 22368; 0% 19037; 0% 6400; 0% 27831; 0% 27845; 0% 28668; 0% 14754; 0% 6458; 0% 27650; 0% 12066; 0% 7418; 0% 27839; 0% 20255; 0% 26599; 0% 27699; 0% 28652; 0% 27708; 0% 28118; 0% 22501; 0% 28554; 0% 28573; 0% 11816; 0%

surbl

26608; 43%

52239; 14% 7162; 8%

28299; 3% 28636; 3%

28639; 2%

16397; 2%

27715; 2%

16814; 2% 28271; 2%

10429; 1%

52236; 1%

20207; 1% 27823; 1%

14259; 1% 27664; 1%

26505; 1% 7738; 1%

18479; 1% 16629; 1% 18881; 0% 28666; 0% 7303; 0% 10318; 0% 25933; 0% 8167; 0% 3816; 0% 52302; 0% 22047; 0% 4230; 0% 27956; 0% 17379; 0% 21599; 0% 10481; 0% 11664; 0% 28286; 0% 26105; 0% 27990; 0% 3790; 0% 26592; 0% 6429; 0% 6147; 0% 19182; 0% 8151; 0% 22566; 0% 14463; 0% 28576; 0% 28669; 0% 19089; 0% 23201; 0% 11419; 0% 52270; 0% 28630; 0% 16973; 0% 13489; 0% 10617; 0% 23106; 0% 28509; 0% 11835; 0% 6503; 0% 11830; 0% 16735; 0% 28111; 0% 22724; 0% 14080; 0% 16849; 0% 28373; 0% 28546; 0% 27779; 0% 13591; 0% 11432; 0% 15180; 0% 27876; 0% 10733; 0% 28548; 0% 27695; 0% 10299; 0% 22368; 0% 19037; 0% 6400; 0% 27831; 0% 27845; 0% 28668; 0% 14754; 0% 6458; 0% 27650; 0% 12066; 0% 7418; 0% 27839; 0% 20255; 0% 26599; 0% 27699; 0% 28652; 0% 27708; 0% 28118; 0% 22501; 0% 28554; 0% 28573; 0% 11816; 0%

hphosts

28299; 56% 7162; 20%

16397; 5%

7738; 3%

18479; 2%

13878; 2%

14259; 1%

16685; 1% 6147; 1%

18881; 1%

10318; 1%

27715; 1% 27823; 1% 7418; 0% 17379; 0%

26592; 0%

16735; 0%

14868; 0%

15311; 0% phishtank

Ac*ve Malicious Ac*vity by ASN

7738; 31%

27699; 24%

28573; 9%

18881; 5%

8167; 5%

22927; 2%

8151; 2%

8048; 2% 6057; 1%

7303; 1%

6147; 1%

26615; 1%

3816; 1%

19429; 1% 27747; 1%

26599; 1%

22047; 1% 4230; 0% 6400; 0% 10318; 0% 10620; 0% 7418; 0% 22085; 0% 6458; 0% 27925; 0% 11664; 0% 10481; 0% 19182; 0% 10429; 0% 13489; 0% 10834; 0% 6568; 0% 14420; 0% 16735; 0% 14117; 0% 25620; 0% 11556; 0% 6503; 0% 6535; 0% 21826; 0% 16814; 0% 6471; 0% 27724; 0% 5639; 0% 17379; 0% 28666; 0% 11888; 0% 13999; 0% 22833; 0% 23201; 0% 11315; 0% 27831; 0% 6306; 0% 14754; 0% 14522; 0% 12066; 0% 27680; 0% 6332; 0% 19037; 0% 14259; 0% 27833; 0% 12252; 0% 18809; 0% 27665; 0% 19422; 0% 11830; 0% 26611; 0% 14080; 0% 27984; 0% 28281; 0% 27695; 0% 22368; 0% 1916; 0% 28118; 0% 28024; 0% 22689; 0% 11172; 0% 23243; 0% 26210; 0% 20299; 0% 27717; 0% 27947; 0% 27775; 0% 27889; 0% 28548; 0% 2715; 0% 10299; 0% 22566; 0% 28620; 0% 27927; 0% 27879; 0% 8163; 0% 28652; 0% 14571; 0% 52228; 0% 6429; 0% 28497; 0% 18678; 0% 28038; 0%

Darknet Scanning

7738; 23%

27699; 15%

28573; 7% 18881; 7% 8167; 7%

22927; 3%

8151; 3%

8048; 2% 6057; 2%

7303; 2% 6147; 2%

26615; 2% 3816; 2%

19429; 1% 27747; 1% 26599; 1%

22047; 1%

4230; 1% 6400; 1%

10318; 1% 10620; 1%

7418; 1% 22085; 1%

6458; 1% 27925; 1%

11664; 1%

10481; 1% 19182; 1% 10429; 0% 13489; 0% 10834; 0% 6568; 0% 14420; 0% 16735; 0% 14117; 0% 25620; 0% 11556; 0% 6503; 0% 6535; 0% 21826; 0% 16814; 0% 6471; 0% 27724; 0% 5639; 0% 17379; 0% 28666; 0% 11888; 0% 13999; 0% 22833; 0% 23201; 0% 11315; 0% 27831; 0% 6306; 0% 14754; 0% 14522; 0% 12066; 0% 27680; 0% 6332; 0% 19037; 0% 14259; 0% 27833; 0% 12252; 0% 18809; 0% 27665; 0% 19422; 0% 11830; 0% 26611; 0% 14080; 0% 27984; 0% 28281; 0% 27695; 0% 22368; 0% 1916; 0% 28118; 0% 28024; 0% 22689; 0% 11172; 0% 23243; 0% 26210; 0% 20299; 0% 27717; 0% 27947; 0% 27775; 0% 27889; 0% 28548; 0% 2715; 0% 10299; 0% 22566; 0% 28620; 0% 27927; 0% 27879; 0% 8163; 0% 28652; 0% 14571; 0% 52228; 0% 6429; 0% 28497; 0% 18678; 0% 28038; 0%

dshield

27747; 11%

6535; 10%

10620; 7%

11664; 6%

8167; 5%

6147; 4%

8048; 3% 28573; 3% 18881; 3% 21826; 3% 18809; 3% 27699; 3%

7738; 3%

3816; 2% 4230; 2% 11888; 2%

22047; 2% 8151; 1% 19429; 1%

Ssh brute-‐force AS 7738 -‐ Telecomunicacoes da Bahia S.A. AS 27699 -‐ TELECOMUNICACOES DE SAO PAULO AS 27747 -‐ Telecentro S.A. AS 28573 -‐ NET Servicos de Comunicao S.A. AS6535 -‐ Telmex Servicios

Ac*ve Malicious Ac*vity Discussion

•  AS7738 -‐ Telecomunicacoes da Bahia represents 31% of all darknet scanning ac*vity from LACNIC region and AS 27699 represents another 24%

•  Consistency between Darknet scanners list and Dshield data

•  AS 6535 -‐ Telmex Servicios, Mexico accounts for 10% of ssh brute-‐force entries


ssh brute-‐force

68K 11.6K (17%)

Dshield 754K 61K (8%)

Darknet Scanning

156K 28K (17%)

Zeus 215 1 (0%)

BGP Prefix SPAM List IP Distribu*on

•  BGP LACNIC region prefixes 31290 out of total rou*ng table of ~370K •  No surprise that large prefixes have large numbers of IPs in BRBL •  BUT – s*ll a surprise that 12 prefixes (all /14s) have over 150K IPs in the BRBL •  189.104.0.0/14– Telemar Norte has 250K IPs out of an alloca*on of 254K on BRBL •  187.88.0.0/14-‐ Vivo S.A has 240K IPs out of254K on BRBL •  All 50 prefixes shown above have atleast 50K IPs on BRBL the equivalent of 195 /24

blocks

BRBL 189.104.0.0/14

0

50

100

150

200

250

300

0

50

100

150

200

250

300

189.104.0.0/14

187.88.0.0/14

187.24.0.0/14

187.40.0.0/14

189.80.0.0/14

187.12.0.0/14

187.116.0.0/14

189.92.0.0/14

187.76.0.0/14

189.72.0.0/14

190.132.0.0/14

187.112.0.0/14

189.70.0.0/15

187.4.0.0/14

187.56.0.0/15

189.96.0.0/15

187.52.0.0/14

190.188.0.0/14

189.98.0.0/15

190.16.0.0/14

189.26.0.0/15

187.68.0.0/14

190.178.0.0/15

189.46.0.0/15

186.104.0.0/15

190.172.0.0/15

189.78.0.0/15

189.68.0.0/15

187.124.0.0/14

201.68.0.0/15

190.176.0.0/15

187.58.0.0/15

189.30.0.0/15

201.42.0.0/15

189.18.0.0/15

189.114.0.0/15

189.58.0.0/15

190.244.0.0/14

201.66.0.0/15

186.212.0.0/14

201.92.0.0/15

189.110.0.0/15

187.10.0.0/15

190.174.0.0/15

187.34.0.0/15

189.64.0.0/15

189.116.0.0/15

187.74.0.0/15

186.58.0.0/15

Thou

sand

s

Thou

sand

s Telemar Norte

BGP Prefix SPAM List IP Distribu*on

•  Even for CBL all 50 of the prefixes shown above have almost 5K or more IPs listed

•  189.104.0.0/14 – Telemar Norte has almost 23K IPs listed in the CBL •  187.12.0.0/14 -‐ Comite Gestor da Internet no Brasil -‐ has roughly

18K IPs listed in CBL

CBL

0

50

100

150

200

250

300

0

5

10

15

20

25

189.104.0.0/14

187.12.0.0/14

187.40.0.0/14

189.80.0.0/14

186.6.0.0/16

187.76.0.0/14

189.72.0.0/14

190.167.0.0/16

189.70.0.0/15

187.124.0.0/14

187.52.0.0/14

190.42.0.0/16

200.88.0.0/16

187.41.0.0/16

201.240.0.0/16

189.104.0.0/16

187.112.0.0/14

187.13.0.0/16

187.4.0.0/14

189.30.0.0/15

190.132.0.0/14

186.212.0.0/14

189.106.0.0/16

201.66.0.0/15

187.79.0.0/16

201.50.0.0/16

186.58.0.0/15

187.40.0.0/16

187.14.0.0/16

187.78.0.0/16

189.24.0.0/16

190.178.0.0/15

190.166.0.0/16

189.82.0.0/16

189.26.0.0/15

187.126.0.0/16

177.16.0.0/14

201.58.0.0/16

187.15.0.0/16

186.104.0.0/15

201.8.0.0/16

189.25.0.0/16

201.78.0.0/16

201.79.0.0/16

201.88.0.0/15

189.10.0.0/15

187.127.0.0/16

201.230.0.0/16

190.172.0.0/15

Thou

sand

s

Thou

sand

s

Rela*ve Amounts of IP addresses in SPAM lists

•  2000 LACNIC region prefixes have over 90% of their address space included in the BRBL

•  Over 5300 prefixes out of all LACNIC region prefixes have more than 50% of their IP address block listed in the BRBL

BRBL-‐R

0

2000

4000

6000

8000

10000

12000

14000

16000

18000

0.9984

0.9986

0.9988

0.999

0.9992

0.9994

0.9996

0.9998

1

1.0002

190.26.128.0/20

190.66.144.0/20

190.27.32.0/20

190.13.48.0/21

190.96.200.0/21

190.13.40.0/21

190.96.144.0/21

190.13.32.0/21

190.96.136.0/21

190.68.4.0/22

190.13.56.0/22

190.94.58.0/23

190.94.10.0/23

190.24.48.0/20

189.92.128.0/18

189.93.128.0/18

190.27.32.0/19

190.252.224.0/20

190.69.48.0/20

190.24.80.0/20

190.25.48.0/20

190.24.64.0/20

190.102.208.0/21

190.96.152.0/21

190.68.32.0/21

189.93.192.0/18

187.24.0.0/18

190.28.128.0/18

190.71.0.0/18

190.26.32.0/19

190.66.160.0/20

190.27.16.0/20

170.51.128.0/18

187.24.192.0/18

187.25.128.0/18

190.67.224.0/19

190.66.128.0/18

190.26.160.0/20

190.255.160.0/20

190.254.224.0/20

190.252.240.0/20

190.255.240.0/20

190.68.16.0/20

190.69.136.0/21

190.255.160.0/21

190.252.248.0/21

190.255.80.0/21

190.94.64.0/21

190.96.184.0/21

Rela*ve Amounts of IP Address in SPAM Lists

•  40 prefixes have atleast 20% of their IPs listed in CBL •  200.39.21.0/24 -‐ Pegaso PCS, Mexico has 50% of its space on CBL but 186.6.0.0/16 – CODETEL has 55% of its block on CBL

0

10

20

30

40

50

60

70

0

0.1

0.2

0.3

0.4

0.5

0.6

200.39.21.0/24

190.94.8.0/23

186.2.144.0/24

190.181.37.0/24

200.108.108.0/24

190.181.36.0/24

186.120.120.0/22

190.186.4.0/22

190.181.24.0/24

190.181.22.0/24

201.222.115.0/24

201.222.81.0/24

190.186.25.0/24

190.181.23.0/24

190.181.32.0/22

190.186.27.0/24

190.124.86.0/23

190.237.120.0/21

190.103.64.0/20

200.49.190.0/24

200.90.149.0/24

190.6.142.0/24

200.85.24.0/22

201.164.70.0/23

186.120.64.0/21

190.181.25.0/24

190.124.90.0/23

206.107.149.0/24

190.186.125.0/24

200.58.72.0/22

189.206.22.0/24

190.186.124.0/24

190.42.100.0/24

186.120.160.0/21

186.6.0.0/16

190.124.80.0/23

190.186.20.0/22

190.186.4.0/23

200.58.80.0/22

190.238.192.0/19

190.9.118.0/24

190.233.0.0/19

190.124.88.0/23

190.186.64.0/24

190.233.0.0/18

190.233.32.0/19

200.49.190.0/23

201.222.112.0/22

190.124.92.0/23

Thou

sand

s

Malware/Phishing IP Address Distribu*on

•  Rela*ve percentages of IPs for the top 50 prefixes for each data type are shown above

•  200.105.0.0/18 – SkyOnline, Argen*na represents 23% of all surbl entries from top 50 prefixes

•  187.31.0.0/16 -‐ Internet Group, Brazil represents 50% of hpHosts entries.

200.105.0.0/18; 23%

200.69.68.0/22; 7%

201.71.192.0/20; 6%

200.69.92.0/23; 4%

201.77.96.0/20; 3%

189.38.80.0/20; 3%

201.20.32.0/20; 2%

200.69.84.0/23; 2%

200.69.78.0/24; 2%

200.69.94.0/24; 2%

200.98.0.0/16; 2%

200.98.192.0/18; 2%

190.106.165.0/24; 2%

189.38.88.0/21; 2%

190.99.84.0/24; 2%

190.99.85.0/24; 2%

190.99.81.0/24; 2%

200.69.89.0/24; 2%

201.33.22.0/24; 2%

surbl

187.31.0.0/16; 52%

187.45.192.0/19; 5%

187.17.64.0/18; 3%

187.17.96.0/19; 3%

200.234.192.0/20; 3%

201.7.176.0/20; 3%

200.98.0.0/16; 3% 200.98.192.0/1

8; 3%

201.33.17.0/24; 2%

200.124.128.0/20; 2%

189.38.80.0/20; 1% 201.76.32.0/19;

1%

187.45.224.0/19; 1%

200.58.114.0/24; 1%

190.228.24.0/21; 1%

200.147.0.0/16; 1%

200.147.0.0/17; 1%

189.38.88.0/21; 1%

200.58.120.0/24; 1%

hphosts

Ac*ve Malicious Ac*vity List IP Distribu*on

•  Rela*ve percentages of IPs in the top 50 prefixes are shown above

•  No clear outliers in terms of prefixes which have excep*onal Darknet scanning ac*vity or Dshield entries

•  190.209.0.0/16, 186.36.128.0/17 – TELMEXCHILE represents 25% of ssh brute-‐force aTempts

189.104.0.0/14; 5% 187.12.0.0/14;

4%

187.56.0.0/15; 3%

187.40.0.0/14; 3% 187.112.0.0/14;

3% 189.80.0.0/14;

3% 187.76.0.0/14;

3% 189.46.0.0/15; 3%

189.18.0.0/15; 3% 186.212.0.0/14;

3% 187.124.0.0/14;

3% 189.72.0.0/14; 3%

187.10.0.0/15; 3%

187.74.0.0/15; 2%

189.110.0.0/15; 2%

201.42.0.0/15; 2%

187.34.0.0/15; 2%

177.16.0.0/14; 2%

189.68.0.0/15; 2%

190.132.0.0/14; 2%

187.4.0.0/14; 2%

187.52.0.0/14; 2%

201.92.0.0/15; 2%

189.70.0.0/15; 2%

189.78.0.0/15; 2%

190.172.0.0/15; 2%

200.70.0.0/16; 2%

189.46.0.0/16; 2%

187.41.0.0/16; 2% 187.10.0.0/16;

2%

187.56.0.0/16; 2%

189.26.0.0/15; 2%

186.58.0.0/15; 2%

187.13.0.0/16; 1%

189.106.0.0/16; 1%

201.92.0.0/16; 1%

187.126.0.0/16; 1%

187.15.0.0/16; 1% 177.40.0.0/14;

1%

189.18.0.0/16; 1%

189.110.0.0/16; 1% 187.58.0.0/15;

1% 189.19.0.0/16;

1% 187.79.0.0/16; 1%

189.24.0.0/16; 1%

189.104.0.0/16; 1%

187.14.0.0/16; 1%

177.28.0.0/14; 1%

190.174.0.0/15; 1% dshield 187.56.0.0/15;

4% 187.12.0.0/14;

4% 187.74.0.0/15; 3%

189.46.0.0/15; 3%

187.34.0.0/15; 3%

187.10.0.0/15; 3%

189.110.0.0/15; 3% 190.132.0.0/14;

3% 189.18.0.0/15; 3%

201.42.0.0/15; 3%

189.68.0.0/15; 3%

189.104.0.0/14; 3%

189.78.0.0/15; 3%

201.92.0.0/15; 2%

187.56.0.0/16; 2%

187.124.0.0/14; 2%

189.110.0.0/16; 2%

187.10.0.0/16; 2%

190.172.0.0/15; 2%

Darknet Scanning

190.209.0.0/16; 17%

186.36.128.0/17; 6%

186.18.0.0/16; 5%

186.36.0.0/17; 5%

186.19.0.0/16; 5% 186.22.0.0/15;

5% 190.208.64.0/1

8; 5% 186.34.0.0/16;

4% 190.218.0.0/16;

3% 190.140.0.0/16;

2% 190.221.64.0/1

8; 2%

187.4.0.0/14; 2%

190.41.0.0/16; 2%

189.72.0.0/14; 2%

190.219.0.0/16; 2%

190.221.192.0/18; 2%

190.55.128.0/18; 2%

190.221.192.0/19; 1%

187.160.0.0/16; 1%

ssh brute-‐force

Discussion •  Network reputa*on is an aTempt to construct a metric or set of

metrics that illustrate the collec*ve reputa*on of all hosts in your administra*ve domain

•  While infected hosts and botnets are a fact of life, how much of such ac*vity represents an acceptable level of network pollu*on 1%? 10% of all hosts?

•  Hosts that engage in malicious ac*vity such as spam, phishing, malware, scanning in a network reduce the externally visible global network reputa*on of that network – it does not go un-‐no*ced

•  It can be seen that not all networks are equal when it comes to network reputa*on. What policies, topology, connec*vity, other factors make some networks beTer than others? How can we learn from them?

•  Reputa*on of hosts on your network has an impact on the usability of your network as por*ons might get blocked for various services

Using Network Reputa*on

•  Network reputa*on is not just something other people know about you

•  You can use it to craq flexible local policies that can beTer manage your risk profile

•  Variable services can be offered to networks with different reputa*ons

•  You can control how much of your network and what services on your network are visible to networks with varying reputa*on levels

•  Reputa*on informa*on can even be a factor in BGP path selec*on algorithm

Network Reputa*on •  Our goal is to develop a comprehensive global network reputa*on system

that computes for each prefix in the BGP rou*ng table a reputa*on metric. •  Varia*ons can allow arbitrary network boundaries not simply BGP

boundaries but that is the star*ng point •  Data from common sources such as RBLs is the star*ng point for

bootstrapping the reputa*on system, however in order to be successful the system must have data from many many vantage points

•  Different networks have different views of reputa*ons of other networks •  The more vantage points you have the closer to “true reputa*on you will

get” •  The system must allow all networks to par*cipate and contribute

reputa*on informa*on regarding all other networks while being resistant to collusion and false repor*ng

•  Current project at Merit Network Inc is building such a system and an effort will soon be made to recruit par*cipant networks on various mailing lists

•  If you would like to par*cipate please send email to: [email protected] •  How reputable is your network?

Documents

The$Reputaon$of$Networks$– LACNIC$Region$ · The$Reputaon$of$Networks$– LACNIC$Region$ Manish$Karir,$Kyle$Creyts$ (MeritNetwork$Inc)$ Arturo$Servin$ (LACNIC)$