Tuesday, August 31, 2010
Finding Out How Ethical and Safe Your Internet Service Provider Is
If you use dial-up, DSL, cable, or FiOS, you are having to deal with an Internet Service Provider in the form of a phone company or a cable company. How does one find out how safe and ethical their ISP is? There are two tools to help the average person get a sense of how safe they are in trusting their ISP. One tool is FIRE which is an acronym for "Finding Rogue Networks". But to use FIRE, one needs an AS (Autonomous Systems) number. Fortunately, caida.org has a tool called AS Rank which will give you your ISP's AS numbers. One can also use Arbor Network's ATLAS to see the top 20 worst attackers currently on the Internet. (FIRE doesn't see some of those systems and networks, so there is filtering going on.) So, how does my ISP, verizon.net, stack up? Pretty well actually according to FIRE and AS Rank. There are no Exploit or Command and Control Servers on those networks. These are the only two systems that FIRE knows of on VZB and VZ networks:
65.209.177.10 US AS701 exploit server
70.107.249.167 US AS19262 C&C server
However, the ISP's may be preventing FIRE from seeing the whole picture. My honeypot has found these infected systems on my local verizon.net sub network:
[29082010 21:44:40] [192.168.1.12:445->71.97.10.85:50973]
[30082010 20:24:05] [192.168.1.12:445->71.96.233.69:1370]
[30082010 20:38:19] [192.168.1.12:445->71.97.151.10:3401]
[31082010 20:06:06] [192.168.1.12:445->71.96.77.124:54794]
[29082010 21:44:38] [192.168.1.12:445->71.97.10.85:50969]
[30082010 18:02:09] [192.168.1.12:135->71.91.137.62:2013]
[30082010 20:24:04] [192.168.1.12:445->71.96.233.69:1368]
[30082010 20:38:19] [192.168.1.12:445->71.97.151.10:2800]
[31082010 16:37:35] [192.168.1.12:80->71.96.77.124:53541]
Now then, Verizon could be blocking or filtering their network such that these systems can not communicate with the outside world (blacklisting) or they could be blocking FIRE from seeing any of these systems that may be servers. With a P2P botnet, any infected system can be both a client and a server. That said, most of the infected systems in the world are likely IRC bots and are clients for the time being until all botnets evolve into true P2P botnets. So, for the present, FIRE's results are likely a lower, but fairly accurate limit of the true extent of the problem. Also, one must keep in mind that an ISP like Verizon has little control over subscribers' computers in their homes compared to an ISP whose clients lease a server or virtual server in a datacenter. But FIRE's results can still be useful as a qualitative measure of an ISP's security, ethical, and reputation mindset.
Let's compare hosting companies for instance. Here's
The Planet AS 21844
GoDaddy.com AS 26496
Rackspace AS 33070
Rackspace AS 10532
Rackspace AS 27357
Terremark Worldwide (all)
Clearly, some providers care more than others about who their clients are. Rackspace looks a bit dirty, but they host a larger network than the others. They are relatively clean compared to The Planet or GoDaddy.com.
65.209.177.10 US AS701 exploit server
70.107.249.167 US AS19262 C&C server
However, the ISP's may be preventing FIRE from seeing the whole picture. My honeypot has found these infected systems on my local verizon.net sub network:
[29082010 21:44:40] [192.168.1.12:445->71.97.10.85:50973]
[30082010 20:24:05] [192.168.1.12:445->71.96.233.69:1370]
[30082010 20:38:19] [192.168.1.12:445->71.97.151.10:3401]
[31082010 20:06:06] [192.168.1.12:445->71.96.77.124:54794]
[29082010 21:44:38] [192.168.1.12:445->71.97.10.85:50969]
[30082010 18:02:09] [192.168.1.12:135->71.91.137.62:2013]
[30082010 20:24:04] [192.168.1.12:445->71.96.233.69:1368]
[30082010 20:38:19] [192.168.1.12:445->71.97.151.10:2800]
[31082010 16:37:35] [192.168.1.12:80->71.96.77.124:53541]
Now then, Verizon could be blocking or filtering their network such that these systems can not communicate with the outside world (blacklisting) or they could be blocking FIRE from seeing any of these systems that may be servers. With a P2P botnet, any infected system can be both a client and a server. That said, most of the infected systems in the world are likely IRC bots and are clients for the time being until all botnets evolve into true P2P botnets. So, for the present, FIRE's results are likely a lower, but fairly accurate limit of the true extent of the problem. Also, one must keep in mind that an ISP like Verizon has little control over subscribers' computers in their homes compared to an ISP whose clients lease a server or virtual server in a datacenter. But FIRE's results can still be useful as a qualitative measure of an ISP's security, ethical, and reputation mindset.
Let's compare hosting companies for instance. Here's
The Planet AS 21844
GoDaddy.com AS 26496
Rackspace AS 33070
Rackspace AS 10532
Rackspace AS 27357
Terremark Worldwide (all)
Clearly, some providers care more than others about who their clients are. Rackspace looks a bit dirty, but they host a larger network than the others. They are relatively clean compared to The Planet or GoDaddy.com.
Labels: ISPs malicious networks FIRE AS asrank