Abnormally Malicious Autonomous Systems and their Internet Connectivity
- ORNL
- Grand Valley State University (GVSU), Michigan
- Indiana University
While many attacks are distributed across botnets, investigators and network operators have recently targeted malicious networks through high profile autonomous system (AS) de-peerings and network shut-downs. In this paper, we explore whether some ASes indeed are safe havens for malicious activity. We look for ISPs and ASes that exhibit disproportionately high malicious behavior using ten popular blacklists, plus local spam data, and extensive DNS resolutions based on the contents of the blacklists. We find that some ASes have over 80% of their routable IP address space blacklisted. Yet others account for large fractions of blacklisted IP addresses. Several ASes regularly peer with ASes associated with significant malicious activity. We also find that malicious ASes as a whole differ from benign ones in other properties not obviously related to their malicious activities, such as more frequent connectivity changes with their BGP peers. Overall, we conclude that examining malicious activity at AS granularity can unearth networks with lax security or those that harbor cybercrime.
- Research Organization:
- Oak Ridge National Laboratory (ORNL); Center for Computational Sciences
- Sponsoring Organization:
- USDOE
- DOE Contract Number:
- AC05-00OR22725
- OSTI ID:
- 1022635
- Journal Information:
- IEEE/ACM Transactions on Networking, Journal Name: IEEE/ACM Transactions on Networking Journal Issue: 1 Vol. 20
- Country of Publication:
- United States
- Language:
- English
Similar Records
P2P-based botnets: structural analysis, monitoring, and mitigation
Touring DNS Open Houses for Trends and Configurations