Malcode and DDoS Locations: May 2008

We’ve been very busy here in the offices, especially after a week or so away in Asia. Here’s some quick stats for May, 2008. It’s interesting to see who is hosting the malware and the attack botnets.

First up, a set of major malcode distribution points for May, 2008, by country, ASN, and even by IP address. No great surprises here.

Malicious URLs by Country Code

Malicious URLs by ASN

Malicious URLs by IP address

Next, who are hosting the DDoS attack botnets (these are the controlling servers, NOT the attacking bots). This is the number of attacks commanded by hour by server country or ASN.

DDoS Controllers by Country Code

Malicious URLs by ASN

Finally, because we’re tracking DDoS commands, we can see who are receiving the DDoS attacks. Not that we see a lot of intra-country attacks (e.g. US to US).

Malicious URLs by Country Code

UPDATE Did some additional data analysis of the top malcode locations to screen out a few false positives. Note that the top ASNs and IPs change.

5 Responses to “Malcode and DDoS Locations: May 2008”

June 11, 2008 at 1:51 pm, A-naan-e-mouse said:

I’m sure there is interesting data underneath this, but this has to be a shining example of why pie charts should not be used for data communication. [1]

From the first graph we guess roughly guess that China and the US are the same…but by how much? Exactly? Slightly more for China? Or slightly less? And how much of the total, 66% How am I supposed to visually convert the area of a circle into a percentage (or better yet, the raw numbers ). The smaller data points, like NL, UA, IT, etc., are invisible – are they responsible for 3%, 1%, or .0005% of the traffic? There’s no way to tell!

I’m a professional in the computer security field. I can handle numbers. Why not provide tables with the numbers? Use a bar chart if you must, but pie charts just aren’t helpful.

[1] Exception:

June 12, 2008 at 1:07 am, Richard said:

It seems that too much DDoS attacks and malware are from China. It’s so bad.

June 16, 2008 at 2:24 pm, Claudio said:

I was really surprise with the charts about who was hosting the attacks. Im seeing that Argentina (My country) is the second largest host after China, In the last months we had several discussions in security Forums here about the increase of the number of local people trying to perform this kind attacks, and the lack of legislation to punish them. It seems now that we really need to improve our laws to stop them.

June 20, 2008 at 6:28 pm, billy said:

Surely we can stop this by tracking down the bot master if there using IRC, however if there bots are working over HTTP which i doubt then it will get tricky.

July 19, 2008 at 1:56 am, b1ckh42 said:

The larger nets are using P2P based communication methods already so tracking and shutting them down is next to impossible, the only defense IS a defense. Network providers need to develop some kind of ddos reporting system that can apply ACL’s at locations placed strategically along different points of the network. This would allow the massive traffic shift to be safely extinguished safely before it reaches critical mass.

Comments are closed.