Upload
others
View
9
Download
0
Embed Size (px)
Citation preview
The Reputa*on of Networks – LACNIC Region
Manish Karir, Kyle Creyts (Merit Network Inc)
Arturo Servin (LACNIC)
Outline
• Goal • Background: IPv4 address alloca*on distribu*on in LACNIC, commonly used blocklists
• Analysis – foreach(country, asn, bgp prefix)
• SPAM Lists Distribu*on • Malware/Phishing Lists Distribu*on • Ac*ve Malicious Ac*vity Lists • Highlight points of interest in data
• Network Reputa*on Discussion
Common Reputa*on Block Lists (RBLs)
• RBLs are mostly lists of IP addresses of domains that have been observed to par*cipate in suspicious behavior
• RBLs can be clustered by type of ac*vity on which it is based: – SPAM Lists: SPAMHAUS(CBL), BRBL, SpamCop, wpbl,
UCEPROTECT – Malware/Phishing hostsing: SURBL (mul*), phishtank, hpHosts – Ac*ve ATack Behavior: Darknet Scanner (merit), Dshield, ssh
brute-‐force (fail2ban, denyhosts) • Our goal is to analyze rela*ve distribu*on of hosts on these
lists to determine if there are some common traits that can broadly characterize the observed rela*ve malicious ac*vity origina*ng from a country, ASN, and prefix
LACNIC Address Space Distribu*on by Country
• Roughly 454K/24 blocks allocated ~ 116M IP addresses
• Brazil, Mexico, and Argen*na together account for almost 75% of all alloca*ons
0 5 10 15 20 25 30 35 40 45 50
BR MX AR CO CL VE PE CR EC PA UY DO GT SV BO TT PY AN NI HN HT CU BZ SR GY AW GF
Millions
Total IP Address Alloca2on
BR; 40%
MX; 22%
AR; 11%
CO; 6%
CL; 6%
VE; 4%
PE; 2%
CR; 2% EC; 1%
PA; 1% UY; 1% DO; 1% GT; 0% SV; 0% BO; 0% TT; 0% PY; 0% AN; 0% NI; 0% HN; 0% HT; 0% CU; 0% BZ; 0% SR; 0% GY; 0% AW; 0% GF; 0%
total
SPAM Lists Distribu*on Analysis
• Consider 3 largest/most popular SPAM Lists: – Barracuda BRBL – SPAMHAUS – CBL – SpamCop – Other SPAM data sources as well such as weighted private block list (wpbl), UCEPROTECT also analyzed but omiTed here due to similarity
• Determine por*ons of those lists relevant to the LACNIC region
• Determine rela*ve distribu*on by country within LACNIC region
SPAM Lists Distribu*on by Country
List Total IPs LACNIC IPs
Barracuda 128M 22.7M (17%)
SPAMHAUS CBL 8.1M 1M (12%)
SpamCop 325K 28K (8%)
BR; 50%
MX; 8%
AR; 12%
CO; 11%
CL; 7%
VE; 2%
PE; 3%
CR; 0% EC; 0%
PA; 0% UY; 1% DO; 2% GT; 1% SV; 1% BO; 0% TT; 0% PY; 0% AN; 0% NI; 0% HN; 0% HT; 0% CU; 0% BZ; 0% SR; 0% GY; 0% AW; 0% GF; 0%
BRBL
BR; 46%
MX; 4%
AR; 10%
CO; 9%
CL; 7%
VE; 4% PE; 8%
CR; 0% EC; 0%
PA; 0%
UY; 2% DO; 7%
GT; 1%
SV; 0% BO; 2% TT; 0% PY; 0% AN; 0% NI; 0% HN; 0% HT; 0% CU; 0% BZ; 0% SR; 0% GY; 0% AW; 0% GF; 0%
CBL
BR; 54%
MX; 3%
AR; 9%
CO; 9%
CL; 4%
VE; 2%
PE; 6%
CR; 1%
EC; 0%
PA; 0%
UY; 1% DO; 6%
GT; 1%
SV; 0% BO; 2% TT; 0% PY; 0% AN; 0% NI; 0% HN; 0% HT; 0% CU; 0% BZ; 0% SR; 0% GY; 0% AW; 0% GF; 0%
spamcop
SPAM List Rela*ve Distribu*on
• In general: countries with larger alloca*ons have more entries in block lists – expected if you assume infec*on rates are a steady fact of life and on average x% of any given IP address range will be on a block list
• But what happens when we look at block list entries rela*ve to alloca*on sizes
• We should look at both the large and the small ends of alloca*on spectrum
Rela*ve SPAM List Distribu*on by Country
Barracuda Reputa*on Block List
Percen
tage of A
ddress Space
0
5
10
15
20
25
30
35
40
45
50
0
2
4
6
8
10
12
BR MX AR CO CL VE PE CR EC PA UY DO GT SV BO TT PY AN NI HN HT CU BZ SR GY AW GF
Millions
Millions
0
5
10
15
20
25
30
35
40
45
50
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
0.45
0.5
BR MX AR CO CL VE PE CR EC PA UY DO GT SV BO TT PY AN NI HN HT CU BZ SR GY AW GF
Millions
Rela*ve BRBL
Rela*ve SPAM List Distribu*on by Country
Percen
tage of A
ddress Space
CBL
Rela*ve CBL
0
5
10
15
20
25
30
35
40
45
50
0
0.01
0.02
0.03
0.04
0.05
0.06
0.07
0.08
0.09
BR MX AR CO CL VE PE CR EC PA UY DO GT SV BO TT PY AN NI HN HT CU BZ SR GY AW GF
Millions
0
5
10
15
20
25
30
35
40
45
50
0
50
100
150
200
250
300
350
400
450
500
BR MX AR CO CL VE PE CR EC PA UY DO GT SV BO TT PY AN NI HN HT CU BZ SR GY AW GF
Millions
Thou
sand
s
SPAM List Discussion • All networks are not created equal when it comes to entries on a
SPAM list • Interes*ng things to no*ce:
– Almost 45% of Dominican Republic is on BRBL – Almost 35% of Uruguay is on BRBL – Almost 25% of Brazil is on BRBL but that is 11M IPs – More than half of the countries have greater than 10% of their IP
addresses on BRBL – Only 6% of Mexico IP address space is on BRBL which which is
uncharacteris*cally low – CBL stats are lower in terms of absolute numbers but rela*ve trends
are consistent
• What accounts for these regional varia*ons? Local policy? Connec*vity? Network topology?
Malware/Phishing Lists Distribu*on Analysis
• Consider 3 common malware/phishing Lists: – SURBL – hpHosts – phishtank – Other popular data sources as well such as malwaredomains and malwaredomainsList are included in the SURBL-‐mul* dataset.
• Determine por*ons of those lists relevant to the LACNIC region
• Determine rela*ve country distribu*on within LACNIC region
Malware/Phishing Lists by Country
List Total IPs LACNIC IPs
SURBL 360K 3K (<1%)
Hphosts 185K 2K (<2%)
Phishtank 4700 124 (< 3%)
BR; 20%
MX; 0%
AR; 38% CO; 9% CL; 2%
VE; 0%
PE; 0%
CR; 0%
EC; 0%
PA; 28%
UY; 0% DO; 0% GT; 0% SV; 0% BO; 0% TT; 0%
PY; 0%
AN; 1% NI; 2% HN; 0% HT; 0% CU; 0% BZ; 0% SR; 0% GY; 0% AW; 0% GF; 0%
surbl
BR; 83%
MX; 1%
AR; 8%
CO; 1% CL; 2%
VE; 0% PE; 0%
CR; 0% EC; 0% PA; 3%
UY; 0% DO; 0% GT; 0% SV; 0%
BO; 0%
TT; 0% PY; 0%
AN; 2%
NI; 0% HN; 0% HT; 0% CU; 0% BZ; 0% SR; 0% GY; 0% AW; 0% GF; 0%
hphosts
BR; 89%
MX; 1%
AR; 3% CO; 2% CL; 4% VE; 0% PE; 1% CR; 0% EC; 0% PA; 1% UY; 0% DO; 0% GT; 0% SV; 0% BO; 0% TT; 0% PY; 0% AN; 0% NI; 0% HN; 0% HT; 0% CU; 0% BZ; 0% SR; 0% GY; 0% AW; 0% GF; 0%
phishtank
Malware/Phishing Discussion
• In general, LACNIC region ac*vity on malware/phishing lists is uncharacteris*cally low
• Argen*na rela*vely higher percentage of Malware/Phishing listed domains ~ 40% of all LACNIC region domains on SURBL list.
• Panama and Brazil account for another 30% and 20% of SURBL list respec*vely. All others much smaller numbers
• Brazil accounts for >80% of entries on hpHosts and phishtank.
Ac*ve Malicious Ac*vity by Country BR; 0% MX; 0% AR; 0% CO; 0% CL; 0% VE; 0% PE; 0% CR; 0% EC; 0%
PA; 100%
UY; 0% DO; 0% GT; 0% SV; 0% BO; 0% TT; 0% PY; 0% AN; 0% NI; 0% HN; 0% HT; 0% CU; 0% BZ; 0% SR; 0% GY; 0% AW; 0% GF; 0%
zeus
BR; 56%
MX; 6%
AR; 13%
CO; 6%
CL; 5%
VE; 4%
PE; 3%
CR; 0% EC; 1% PA; 0%
UY; 2% DO; 2% GT; 1% SV; 0% BO; 1% TT; 0% PY; 0% AN; 0% NI; 0% HN; 0% HT; 0% CU; 0% BZ; 0% SR; 0% GY; 0% AW; 0% GF; 0%
dshield
BR; 64%
MX; 2%
AR; 17%
CO; 4%
CL; 4%
VE; 4%
PE; 0%
CR; 0% EC; 0% PA; 0% UY; 3% DO; 0% GT; 0% SV; 0% BO; 0% TT; 0% PY; 0% AN; 0% NI; 0% HN; 0% HT; 0% CU; 0% BZ; 0% SR; 0% GY; 0% AW; 0% GF; 0%
Darknet Scanning
BR; 22%
MX; 6%
AR; 16%
CO; 15%
CL; 18%
VE; 8%
PE; 4%
CR; 2% EC; 2%
PA; 4%
UY; 1%
DO; 1% GT; 1% SV; 0% BO; 0% TT; 0% PY; 0% AN; 0% NI; 0% HN; 0% HT; 0% CU; 0% BZ; 0% SR; 0% GY; 0% AW; 0% GF; 0%
Ssh brute-‐force
Ac*ve Malicious Ac*vity Discussion
• Brazil is ~ 65% of darknet scanning ac*vity from LACNIC region, Argen*na is almost 17% but Mexico is only 2%
• Chile is 18% of ssh brute-‐force list and Columbia is 15% same as Argen*na which is 16% while Brazil is only 22%
List Total IPs LACNIC IPs
ssh brute-‐force
68K 11.6K (17%)
Dshield 754K 61K (8%)
Darknet Scanning
156K 28K (17%)
Zeus 215 1 (0%)
Address Distribu*on by ASN
• Roughly 1100 ASNs in use in LACNIC region • They account for roughly 31K of prefixes in the BGP rou*ng table (total 360K entries)
• A total of 130M IPs • We focus on the largest 100 ASNs
0
2
4
6
8
10
12
14
8151
7738
28573
8167
27699
4230
18881
8048
26599
26615
22047
11556
10318
22927
10429
7303
22085
6503
10620
10481
6147
6057
19429
11830
14522
3816
13999
13489
7418
1916
12252
11664
6471
27747
6458
11172
17379
22833
5639
7162
6306
26611
2715
11888
16735
15180
6332
19037
14259
Millions
total
Top 10 ASNs by Size ASN Name IP Addresses
8151 Uninet S.A. de C.V. 12M (9%)
7738 Telecomunicacoes da Bahia S.A.
12M (9%)
28573 NET Servicos de Comunicao S.A.
7M (5.3%)
8167
TELESC -‐ Telecomunicacoes de Santa Catarina SA
6M (4.6%)
27699 TELECOMUNICACOES DE SAO PAULO S/A -‐ TELESP
4.8M (3.7%)
4230 Embratel 3.7M (2.8%)
18881 Global Village Telecom 3.3M (2.5%)
8048 CANTV Servicios, Venezuela
3.2M (2.4%)
26599 Telesp Celular S.A. 2.8M (2.1%)
26615 Tim Celular S.A. 2.6M (2%)
SPAM List IP Distribu*on by ASN BRBL
Rela*ve BRBL
8151
7738
28573
4230 0
2
4
6
8
10
12
14
0
1
2
3
4
5
6
7
8
8151
28573
27699
18881
26599
22047
10318
10429
22085
10620
6147
19429
14522
13999
7418
12252
6471
6458
17379
5639
6306
2715
16735
6332
14259
23201
27925
1251
6505
27921
27947
21575
6429
14571
16814
20312
10954
14080
3790
16629
10715
13878
20191
22689
27889
28548
14754
27831
278
7137
Millions
Millions
Telecomunicacoes da Bahia S.A.
Uninet S.A. de C.V.
NET Servicos de Comunicao S.A
Embratel
7738 27699
4230
26599 7418 6458
19037
6400
28548
0
2
4
6
8
10
12
14
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
8151
28573
27699
18881
26599
22047
10318
10429
22085
10620
6147
19429
14522
13999
7418
12252
6471
6458
17379
5639
6306
2715
16735
6332
14259
23201
27925
1251
6505
27921
27947
21575
6429
14571
16814
20312
10954
14080
3790
16629
10715
13878
20191
22689
27889
28548
14754
27831
278
7137
Cablevision, S.A. de C.V.
Telesp Celular S.A.
Telecomunicacoes da Bahia S.A. TELEFÓNICA CHILE S.A.
Telgua
TELECOMUNICACOES DE SAO PAULO
CTI Compania de Telefonas
SPAM List IP Address Distribu*on by ASN Discussion
• Top 10 network AS7738 -‐ Telecomunicacoes da Bahia S.A. accounts for over 7M IPs on BRBL which is over 60% of its total address space
• AS 8151-‐ Uninet S.A. de C.V and AS7738 -‐ Telecomunicacoes da Bahia S.A. both have almost same amount of amount of address space 11M IPs yet AS 8151 has only 1M addresses on BRBL
• AS28548 -‐ Cablevision, S.A. de C.V. is almost en*rely on BRBL
• 18 of the largest 100 ASNs have more than 50% of their address space on the BRBL
• AS4230 – Embratel has over 3M IPs but rela*vely negligible number of entries on BRBL
ASN IP Blocklis*ng Distribu*on
• Top 1000 ASNs with largest percentage of their networks on SPAM blocklists
• Almost 100 ASNs have atleast 20% of their IPs on BRBL
• Almost 40 ASNs have atleast 2% of their IPs on CBL
CBL
BRBL
0
2
4
6
8
10
12
14
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
1 35
69
103
137
171
205
239
273
307
341
375
409
443
477
511
545
579
613
647
681
715
749
783
817
851
885
919
Millions
0
2
4
6
8
10
12
14
0
0.02
0.04
0.06
0.08
0.1
0.12
0.14
0.16
1 38
75
112
149
186
223
260
297
334
371
408
445
482
519
556
593
630
667
704
741
778
815
852
889
926
963
Malware/Phishing Domains Distribu*on by ASN
• AS26608 -‐ SkyOnline de Argen*na, represents 35% of SURBL LACNIC region entries and 43% of hphosts entries
• AS 52239 -‐ Desarrollos Digitales is the next highest contributor with 12% and 14%
• AS 282997 -‐ CYBERWEB is almost 56% of LACNIC region phishtank entries. and AS7162 Itanet – is 20% of phishtank entries
• Consistency across surbl and hpHosts entries but different ASN with phishtank
26608; 35%
52239; 12%
7162; 7% 28299; 5%
28636; 5%
28639; 3% 16397; 2%
27715; 2%
16814; 2% 28271; 2%
10429; 2%
52236; 2% 20207; 2%
27823; 2%
14259; 2%
27664; 1% 26505; 1%
7738; 1%
18479; 1% 16629; 1%
18881; 1%
28666; 1% 7303;
1%
10318; 1% 25933; 1% 8167; 0% 3816; 0% 52302; 0% 22047; 0% 4230; 0% 27956; 0% 17379; 0% 21599; 0% 10481; 0% 11664; 0% 28286; 0% 26105; 0% 27990; 0% 3790; 0% 26592; 0% 6429; 0% 6147; 0% 19182; 0% 8151; 0% 22566; 0% 14463; 0% 28576; 0% 28669; 0% 19089; 0% 23201; 0% 11419; 0% 52270; 0% 28630; 0% 16973; 0% 13489; 0% 10617; 0% 23106; 0% 28509; 0% 11835; 0% 6503; 0% 11830; 0% 16735; 0% 28111; 0% 22724; 0% 14080; 0% 16849; 0% 28373; 0% 28546; 0% 27779; 0% 13591; 0% 11432; 0% 15180; 0% 27876; 0% 10733; 0% 28548; 0% 27695; 0% 10299; 0% 22368; 0% 19037; 0% 6400; 0% 27831; 0% 27845; 0% 28668; 0% 14754; 0% 6458; 0% 27650; 0% 12066; 0% 7418; 0% 27839; 0% 20255; 0% 26599; 0% 27699; 0% 28652; 0% 27708; 0% 28118; 0% 22501; 0% 28554; 0% 28573; 0% 11816; 0%
surbl
26608; 43%
52239; 14% 7162; 8%
28299; 3% 28636; 3%
28639; 2%
16397; 2%
27715; 2%
16814; 2% 28271; 2%
10429; 1%
52236; 1%
20207; 1% 27823; 1%
14259; 1% 27664; 1%
26505; 1% 7738; 1%
18479; 1% 16629; 1% 18881; 0% 28666; 0% 7303; 0% 10318; 0% 25933; 0% 8167; 0% 3816; 0% 52302; 0% 22047; 0% 4230; 0% 27956; 0% 17379; 0% 21599; 0% 10481; 0% 11664; 0% 28286; 0% 26105; 0% 27990; 0% 3790; 0% 26592; 0% 6429; 0% 6147; 0% 19182; 0% 8151; 0% 22566; 0% 14463; 0% 28576; 0% 28669; 0% 19089; 0% 23201; 0% 11419; 0% 52270; 0% 28630; 0% 16973; 0% 13489; 0% 10617; 0% 23106; 0% 28509; 0% 11835; 0% 6503; 0% 11830; 0% 16735; 0% 28111; 0% 22724; 0% 14080; 0% 16849; 0% 28373; 0% 28546; 0% 27779; 0% 13591; 0% 11432; 0% 15180; 0% 27876; 0% 10733; 0% 28548; 0% 27695; 0% 10299; 0% 22368; 0% 19037; 0% 6400; 0% 27831; 0% 27845; 0% 28668; 0% 14754; 0% 6458; 0% 27650; 0% 12066; 0% 7418; 0% 27839; 0% 20255; 0% 26599; 0% 27699; 0% 28652; 0% 27708; 0% 28118; 0% 22501; 0% 28554; 0% 28573; 0% 11816; 0%
hphosts
28299; 56% 7162; 20%
16397; 5%
7738; 3%
18479; 2%
13878; 2%
14259; 1%
16685; 1% 6147; 1%
18881; 1%
10318; 1%
27715; 1% 27823; 1% 7418; 0% 17379; 0%
26592; 0%
16735; 0%
14868; 0%
15311; 0% phishtank
Ac*ve Malicious Ac*vity by ASN
7738; 31%
27699; 24%
28573; 9%
18881; 5%
8167; 5%
22927; 2%
8151; 2%
8048; 2% 6057; 1%
7303; 1%
6147; 1%
26615; 1%
3816; 1%
19429; 1% 27747; 1%
26599; 1%
22047; 1% 4230; 0% 6400; 0% 10318; 0% 10620; 0% 7418; 0% 22085; 0% 6458; 0% 27925; 0% 11664; 0% 10481; 0% 19182; 0% 10429; 0% 13489; 0% 10834; 0% 6568; 0% 14420; 0% 16735; 0% 14117; 0% 25620; 0% 11556; 0% 6503; 0% 6535; 0% 21826; 0% 16814; 0% 6471; 0% 27724; 0% 5639; 0% 17379; 0% 28666; 0% 11888; 0% 13999; 0% 22833; 0% 23201; 0% 11315; 0% 27831; 0% 6306; 0% 14754; 0% 14522; 0% 12066; 0% 27680; 0% 6332; 0% 19037; 0% 14259; 0% 27833; 0% 12252; 0% 18809; 0% 27665; 0% 19422; 0% 11830; 0% 26611; 0% 14080; 0% 27984; 0% 28281; 0% 27695; 0% 22368; 0% 1916; 0% 28118; 0% 28024; 0% 22689; 0% 11172; 0% 23243; 0% 26210; 0% 20299; 0% 27717; 0% 27947; 0% 27775; 0% 27889; 0% 28548; 0% 2715; 0% 10299; 0% 22566; 0% 28620; 0% 27927; 0% 27879; 0% 8163; 0% 28652; 0% 14571; 0% 52228; 0% 6429; 0% 28497; 0% 18678; 0% 28038; 0%
Darknet Scanning
7738; 23%
27699; 15%
28573; 7% 18881; 7% 8167; 7%
22927; 3%
8151; 3%
8048; 2% 6057; 2%
7303; 2% 6147; 2%
26615; 2% 3816; 2%
19429; 1% 27747; 1% 26599; 1%
22047; 1%
4230; 1% 6400; 1%
10318; 1% 10620; 1%
7418; 1% 22085; 1%
6458; 1% 27925; 1%
11664; 1%
10481; 1% 19182; 1% 10429; 0% 13489; 0% 10834; 0% 6568; 0% 14420; 0% 16735; 0% 14117; 0% 25620; 0% 11556; 0% 6503; 0% 6535; 0% 21826; 0% 16814; 0% 6471; 0% 27724; 0% 5639; 0% 17379; 0% 28666; 0% 11888; 0% 13999; 0% 22833; 0% 23201; 0% 11315; 0% 27831; 0% 6306; 0% 14754; 0% 14522; 0% 12066; 0% 27680; 0% 6332; 0% 19037; 0% 14259; 0% 27833; 0% 12252; 0% 18809; 0% 27665; 0% 19422; 0% 11830; 0% 26611; 0% 14080; 0% 27984; 0% 28281; 0% 27695; 0% 22368; 0% 1916; 0% 28118; 0% 28024; 0% 22689; 0% 11172; 0% 23243; 0% 26210; 0% 20299; 0% 27717; 0% 27947; 0% 27775; 0% 27889; 0% 28548; 0% 2715; 0% 10299; 0% 22566; 0% 28620; 0% 27927; 0% 27879; 0% 8163; 0% 28652; 0% 14571; 0% 52228; 0% 6429; 0% 28497; 0% 18678; 0% 28038; 0%
dshield
27747; 11%
6535; 10%
10620; 7%
11664; 6%
8167; 5%
6147; 4%
8048; 3% 28573; 3% 18881; 3% 21826; 3% 18809; 3% 27699; 3%
7738; 3%
3816; 2% 4230; 2% 11888; 2%
22047; 2% 8151; 1% 19429; 1%
Ssh brute-‐force AS 7738 -‐ Telecomunicacoes da Bahia S.A. AS 27699 -‐ TELECOMUNICACOES DE SAO PAULO AS 27747 -‐ Telecentro S.A. AS 28573 -‐ NET Servicos de Comunicao S.A. AS6535 -‐ Telmex Servicios
Ac*ve Malicious Ac*vity Discussion
• AS7738 -‐ Telecomunicacoes da Bahia represents 31% of all darknet scanning ac*vity from LACNIC region and AS 27699 represents another 24%
• Consistency between Darknet scanners list and Dshield data
• AS 6535 -‐ Telmex Servicios, Mexico accounts for 10% of ssh brute-‐force entries
List Total IPs LACNIC IPs
ssh brute-‐force
68K 11.6K (17%)
Dshield 754K 61K (8%)
Darknet Scanning
156K 28K (17%)
Zeus 215 1 (0%)
BGP Prefix SPAM List IP Distribu*on
• BGP LACNIC region prefixes 31290 out of total rou*ng table of ~370K • No surprise that large prefixes have large numbers of IPs in BRBL • BUT – s*ll a surprise that 12 prefixes (all /14s) have over 150K IPs in the BRBL • 189.104.0.0/14– Telemar Norte has 250K IPs out of an alloca*on of 254K on BRBL • 187.88.0.0/14-‐ Vivo S.A has 240K IPs out of254K on BRBL • All 50 prefixes shown above have atleast 50K IPs on BRBL the equivalent of 195 /24
blocks
BRBL 189.104.0.0/14
0
50
100
150
200
250
300
0
50
100
150
200
250
300
189.104.0.0/14
187.88.0.0/14
187.24.0.0/14
187.40.0.0/14
189.80.0.0/14
187.12.0.0/14
187.116.0.0/14
189.92.0.0/14
187.76.0.0/14
189.72.0.0/14
190.132.0.0/14
187.112.0.0/14
189.70.0.0/15
187.4.0.0/14
187.56.0.0/15
189.96.0.0/15
187.52.0.0/14
190.188.0.0/14
189.98.0.0/15
190.16.0.0/14
189.26.0.0/15
187.68.0.0/14
190.178.0.0/15
189.46.0.0/15
186.104.0.0/15
190.172.0.0/15
189.78.0.0/15
189.68.0.0/15
187.124.0.0/14
201.68.0.0/15
190.176.0.0/15
187.58.0.0/15
189.30.0.0/15
201.42.0.0/15
189.18.0.0/15
189.114.0.0/15
189.58.0.0/15
190.244.0.0/14
201.66.0.0/15
186.212.0.0/14
201.92.0.0/15
189.110.0.0/15
187.10.0.0/15
190.174.0.0/15
187.34.0.0/15
189.64.0.0/15
189.116.0.0/15
187.74.0.0/15
186.58.0.0/15
Thou
sand
s
Thou
sand
s Telemar Norte
BGP Prefix SPAM List IP Distribu*on
• Even for CBL all 50 of the prefixes shown above have almost 5K or more IPs listed
• 189.104.0.0/14 – Telemar Norte has almost 23K IPs listed in the CBL • 187.12.0.0/14 -‐ Comite Gestor da Internet no Brasil -‐ has roughly
18K IPs listed in CBL
CBL
0
50
100
150
200
250
300
0
5
10
15
20
25
189.104.0.0/14
187.12.0.0/14
187.40.0.0/14
189.80.0.0/14
186.6.0.0/16
187.76.0.0/14
189.72.0.0/14
190.167.0.0/16
189.70.0.0/15
187.124.0.0/14
187.52.0.0/14
190.42.0.0/16
200.88.0.0/16
187.41.0.0/16
201.240.0.0/16
189.104.0.0/16
187.112.0.0/14
187.13.0.0/16
187.4.0.0/14
189.30.0.0/15
190.132.0.0/14
186.212.0.0/14
189.106.0.0/16
201.66.0.0/15
187.79.0.0/16
201.50.0.0/16
186.58.0.0/15
187.40.0.0/16
187.14.0.0/16
187.78.0.0/16
189.24.0.0/16
190.178.0.0/15
190.166.0.0/16
189.82.0.0/16
189.26.0.0/15
187.126.0.0/16
177.16.0.0/14
201.58.0.0/16
187.15.0.0/16
186.104.0.0/15
201.8.0.0/16
189.25.0.0/16
201.78.0.0/16
201.79.0.0/16
201.88.0.0/15
189.10.0.0/15
187.127.0.0/16
201.230.0.0/16
190.172.0.0/15
Thou
sand
s
Thou
sand
s
Rela*ve Amounts of IP addresses in SPAM lists
• 2000 LACNIC region prefixes have over 90% of their address space included in the BRBL
• Over 5300 prefixes out of all LACNIC region prefixes have more than 50% of their IP address block listed in the BRBL
BRBL-‐R
0
2000
4000
6000
8000
10000
12000
14000
16000
18000
0.9984
0.9986
0.9988
0.999
0.9992
0.9994
0.9996
0.9998
1
1.0002
190.26.128.0/20
190.66.144.0/20
190.27.32.0/20
190.13.48.0/21
190.96.200.0/21
190.13.40.0/21
190.96.144.0/21
190.13.32.0/21
190.96.136.0/21
190.68.4.0/22
190.13.56.0/22
190.94.58.0/23
190.94.10.0/23
190.24.48.0/20
189.92.128.0/18
189.93.128.0/18
190.27.32.0/19
190.252.224.0/20
190.69.48.0/20
190.24.80.0/20
190.25.48.0/20
190.24.64.0/20
190.102.208.0/21
190.96.152.0/21
190.68.32.0/21
189.93.192.0/18
187.24.0.0/18
190.28.128.0/18
190.71.0.0/18
190.26.32.0/19
190.66.160.0/20
190.27.16.0/20
170.51.128.0/18
187.24.192.0/18
187.25.128.0/18
190.67.224.0/19
190.66.128.0/18
190.26.160.0/20
190.255.160.0/20
190.254.224.0/20
190.252.240.0/20
190.255.240.0/20
190.68.16.0/20
190.69.136.0/21
190.255.160.0/21
190.252.248.0/21
190.255.80.0/21
190.94.64.0/21
190.96.184.0/21
Rela*ve Amounts of IP Address in SPAM Lists
• 40 prefixes have atleast 20% of their IPs listed in CBL • 200.39.21.0/24 -‐ Pegaso PCS, Mexico has 50% of its space on CBL but 186.6.0.0/16 – CODETEL has 55% of its block on CBL
0
10
20
30
40
50
60
70
0
0.1
0.2
0.3
0.4
0.5
0.6
200.39.21.0/24
190.94.8.0/23
186.2.144.0/24
190.181.37.0/24
200.108.108.0/24
190.181.36.0/24
186.120.120.0/22
190.186.4.0/22
190.181.24.0/24
190.181.22.0/24
201.222.115.0/24
201.222.81.0/24
190.186.25.0/24
190.181.23.0/24
190.181.32.0/22
190.186.27.0/24
190.124.86.0/23
190.237.120.0/21
190.103.64.0/20
200.49.190.0/24
200.90.149.0/24
190.6.142.0/24
200.85.24.0/22
201.164.70.0/23
186.120.64.0/21
190.181.25.0/24
190.124.90.0/23
206.107.149.0/24
190.186.125.0/24
200.58.72.0/22
189.206.22.0/24
190.186.124.0/24
190.42.100.0/24
186.120.160.0/21
186.6.0.0/16
190.124.80.0/23
190.186.20.0/22
190.186.4.0/23
200.58.80.0/22
190.238.192.0/19
190.9.118.0/24
190.233.0.0/19
190.124.88.0/23
190.186.64.0/24
190.233.0.0/18
190.233.32.0/19
200.49.190.0/23
201.222.112.0/22
190.124.92.0/23
Thou
sand
s
Malware/Phishing IP Address Distribu*on
• Rela*ve percentages of IPs for the top 50 prefixes for each data type are shown above
• 200.105.0.0/18 – SkyOnline, Argen*na represents 23% of all surbl entries from top 50 prefixes
• 187.31.0.0/16 -‐ Internet Group, Brazil represents 50% of hpHosts entries.
200.105.0.0/18; 23%
200.69.68.0/22; 7%
201.71.192.0/20; 6%
200.69.92.0/23; 4%
201.77.96.0/20; 3%
189.38.80.0/20; 3%
201.20.32.0/20; 2%
200.69.84.0/23; 2%
200.69.78.0/24; 2%
200.69.94.0/24; 2%
200.98.0.0/16; 2%
200.98.192.0/18; 2%
190.106.165.0/24; 2%
189.38.88.0/21; 2%
190.99.84.0/24; 2%
190.99.85.0/24; 2%
190.99.81.0/24; 2%
200.69.89.0/24; 2%
201.33.22.0/24; 2%
surbl
187.31.0.0/16; 52%
187.45.192.0/19; 5%
187.17.64.0/18; 3%
187.17.96.0/19; 3%
200.234.192.0/20; 3%
201.7.176.0/20; 3%
200.98.0.0/16; 3% 200.98.192.0/1
8; 3%
201.33.17.0/24; 2%
200.124.128.0/20; 2%
189.38.80.0/20; 1% 201.76.32.0/19;
1%
187.45.224.0/19; 1%
200.58.114.0/24; 1%
190.228.24.0/21; 1%
200.147.0.0/16; 1%
200.147.0.0/17; 1%
189.38.88.0/21; 1%
200.58.120.0/24; 1%
hphosts
Ac*ve Malicious Ac*vity List IP Distribu*on
• Rela*ve percentages of IPs in the top 50 prefixes are shown above
• No clear outliers in terms of prefixes which have excep*onal Darknet scanning ac*vity or Dshield entries
• 190.209.0.0/16, 186.36.128.0/17 – TELMEXCHILE represents 25% of ssh brute-‐force aTempts
189.104.0.0/14; 5% 187.12.0.0/14;
4%
187.56.0.0/15; 3%
187.40.0.0/14; 3% 187.112.0.0/14;
3% 189.80.0.0/14;
3% 187.76.0.0/14;
3% 189.46.0.0/15; 3%
189.18.0.0/15; 3% 186.212.0.0/14;
3% 187.124.0.0/14;
3% 189.72.0.0/14; 3%
187.10.0.0/15; 3%
187.74.0.0/15; 2%
189.110.0.0/15; 2%
201.42.0.0/15; 2%
187.34.0.0/15; 2%
177.16.0.0/14; 2%
189.68.0.0/15; 2%
190.132.0.0/14; 2%
187.4.0.0/14; 2%
187.52.0.0/14; 2%
201.92.0.0/15; 2%
189.70.0.0/15; 2%
189.78.0.0/15; 2%
190.172.0.0/15; 2%
200.70.0.0/16; 2%
189.46.0.0/16; 2%
187.41.0.0/16; 2% 187.10.0.0/16;
2%
187.56.0.0/16; 2%
189.26.0.0/15; 2%
186.58.0.0/15; 2%
187.13.0.0/16; 1%
189.106.0.0/16; 1%
201.92.0.0/16; 1%
187.126.0.0/16; 1%
187.15.0.0/16; 1% 177.40.0.0/14;
1%
189.18.0.0/16; 1%
189.110.0.0/16; 1% 187.58.0.0/15;
1% 189.19.0.0/16;
1% 187.79.0.0/16; 1%
189.24.0.0/16; 1%
189.104.0.0/16; 1%
187.14.0.0/16; 1%
177.28.0.0/14; 1%
190.174.0.0/15; 1% dshield 187.56.0.0/15;
4% 187.12.0.0/14;
4% 187.74.0.0/15; 3%
189.46.0.0/15; 3%
187.34.0.0/15; 3%
187.10.0.0/15; 3%
189.110.0.0/15; 3% 190.132.0.0/14;
3% 189.18.0.0/15; 3%
201.42.0.0/15; 3%
189.68.0.0/15; 3%
189.104.0.0/14; 3%
189.78.0.0/15; 3%
201.92.0.0/15; 2%
187.56.0.0/16; 2%
187.124.0.0/14; 2%
189.110.0.0/16; 2%
187.10.0.0/16; 2%
190.172.0.0/15; 2%
Darknet Scanning
190.209.0.0/16; 17%
186.36.128.0/17; 6%
186.18.0.0/16; 5%
186.36.0.0/17; 5%
186.19.0.0/16; 5% 186.22.0.0/15;
5% 190.208.64.0/1
8; 5% 186.34.0.0/16;
4% 190.218.0.0/16;
3% 190.140.0.0/16;
2% 190.221.64.0/1
8; 2%
187.4.0.0/14; 2%
190.41.0.0/16; 2%
189.72.0.0/14; 2%
190.219.0.0/16; 2%
190.221.192.0/18; 2%
190.55.128.0/18; 2%
190.221.192.0/19; 1%
187.160.0.0/16; 1%
ssh brute-‐force
Discussion • Network reputa*on is an aTempt to construct a metric or set of
metrics that illustrate the collec*ve reputa*on of all hosts in your administra*ve domain
• While infected hosts and botnets are a fact of life, how much of such ac*vity represents an acceptable level of network pollu*on 1%? 10% of all hosts?
• Hosts that engage in malicious ac*vity such as spam, phishing, malware, scanning in a network reduce the externally visible global network reputa*on of that network – it does not go un-‐no*ced
• It can be seen that not all networks are equal when it comes to network reputa*on. What policies, topology, connec*vity, other factors make some networks beTer than others? How can we learn from them?
• Reputa*on of hosts on your network has an impact on the usability of your network as por*ons might get blocked for various services
Using Network Reputa*on
• Network reputa*on is not just something other people know about you
• You can use it to craq flexible local policies that can beTer manage your risk profile
• Variable services can be offered to networks with different reputa*ons
• You can control how much of your network and what services on your network are visible to networks with varying reputa*on levels
• Reputa*on informa*on can even be a factor in BGP path selec*on algorithm
Network Reputa*on • Our goal is to develop a comprehensive global network reputa*on system
that computes for each prefix in the BGP rou*ng table a reputa*on metric. • Varia*ons can allow arbitrary network boundaries not simply BGP
boundaries but that is the star*ng point • Data from common sources such as RBLs is the star*ng point for
bootstrapping the reputa*on system, however in order to be successful the system must have data from many many vantage points
• Different networks have different views of reputa*ons of other networks • The more vantage points you have the closer to “true reputa*on you will
get” • The system must allow all networks to par*cipate and contribute
reputa*on informa*on regarding all other networks while being resistant to collusion and false repor*ng
• Current project at Merit Network Inc is building such a system and an effort will soon be made to recruit par*cipant networks on various mailing lists
• If you would like to par*cipate please send email to: [email protected] • How reputable is your network?