From Chasing Risk Lists to ASN Policies: Large-Scale Analysis of Risky Internet Activity
By Bill Ladd on August 22, 2017
Security professionals have the mandate to protect their networks from communication with malicious traffic. There is a clear understanding that some elements of the internet are more malicious than others. For example, we might assume that traffic from certain countries seems more suspicious than others, and that some hosting infrastructures are more likely to be compromised. In this research we explored three different approaches to assessing general areas of IP address risk across the internet. This understanding is a critical first step in setting network controls that can protect an organization’s infrastructure beyond blindly adopting IP blocklists, which are rapidly becoming obsolete.
Specific approaches we used for this research include:
- Ranking autonomous system numbers (ASNs) and associated countries based on the total number of risky IPs contained in the ASN: 22% of the world’s most risky IPs are in Chinese ASNs.
- Determining the most risky ASNs based on the percentage of risky IP addresses they contain: Three ASNs have risk-related content for 100% of their IP addresses.
- Analyzing rankings based only on those IPs explicitly associated with command and control (C2) malware infrastructure: 37% of C2-related IP addresses are in U.S. ASNs.
In our final analysis step, we examined newly emerging risky IP addresses and determined that newly risky IP addresses continue to emerge from clearly compromised ASNs, and can safely be blocked proactively without having to wait for others to add them to any current IP blacklist.
While it is trivial to implement traffic restrictions based on geolocation or autonomous systems membership, the challenge is in determining what to block. Network security teams need principled approaches to establish blocking rules that balance understanding of risk and legitimate business needs associated with different IP neighborhoods. Blocking around IP addresses is difficult because an IP could resolve to thousands of legitimate domains.
These data-driven approaches, based on large-scale historical threat data, can alert security teams to ASNs and to geographic regions that typically contain risky IPs and support risk/benefit analysis of certain sources of network traffic.
For purposes of routing internet traffic, IP addresses are organized into autonomous systems, each containing one or more contiguous blocks of IP addresses. When we performed this analysis, there were 57,676 distinct AS numbers (ASNs are identifiers for individual autonomous systems) and 260,307 IP address subnets mapped to these ASNs. For example, AT&T Services owns AS7018 and manages 2,095 subnets including 184.108.40.206 – 220.127.116.11 and 18.104.22.168 – 22.214.171.124.
To investigate the risk of ASNs and associated countries, we used a comprehensive risk list of IPs containing four million IPs that have current and/or historical risk. This risk list is based on applying over 40 individual risk rules to assess levels of IP addresses between “Unusual” and “Very Malicious.”
These rules range from, “we’ve previously observed this IP address misconfigured as an open proxy” (Unusual), to “This IP address is currently reported to be a command and control (C2) server” (Very Malicious). We aggregate all of the risk information for an individual IP address to generate an overall score. The current risk list, updated in real time as new risk content emerges, scores IP addresses from 5 to 99.
ASNs Ranked by Individual IP Risk Score
We aggregated risky IPs across all 26,581 ASNs that had one or more risk-scored IP address. We then grouped the risky IPs by the country associated with the ASN to show the top 20 countries below. The circles in this plot are colored by the overall percentage of risky IPs relative to all IP addresses associated with ASNs in the country. This value ranges from 0.03% for Japan to 1.58% for Venezuela.
Risk associated with China dominates the map. Perhaps surprisingly, the cluster of southeast Asian countries of Korea, Taiwan, Thailand, Indonesia, Vietnam, and India, have twice as many risky IP addresses as Russia and Ukraine. Brazil alone has 20% more risky IP addresses than Russia. Also notable is, after China, the second-ranking country in IP riskiness is the United States, although those risky IPs are distributed among 360% more total IP addresses than are associated with China.
We took a deeper look at the top ASNs in terms of number of risky IPs below:
|AS Name||Country||AS Number||Number of Risk-Scored IPs||Total IPs in ASN|
|CNCGROUP China169 Backbone||China||AS4837||250,878||55,091,968|
|Data Communication Business Group||Taiwan||AS3462||99,538||12,277,760|
|CANTV Servicios, Venezuela||Venezuela||AS8048||74,573||2,917,888|
|PT Telekomunikasi Indonesia||Indonesia||AS17974||45,559||3,682,032|
|National Internet Backbone||India||AS9829||42,259||6,135,038|
|TELEFÔNICA BRASIL S.A||Brazil||AS18881||40,890||4,308,992|
The ASNs with the most risky IPs are the first and fourth largest ASNs in the world: Chinanet and the China169 Backbone, with more risky IPs than the rest of the top ten combined. These two Chinese ASNs, operated by the state-owned entities China Telecommunications Company and China Unicom, are unique in being both so large and having so many risk-related IPs. In contrast, the next largest ASN on this top ten list is Taiwan’s Data Communication Business Group which is “only” the 34th largest ASN.
Looking around the globe in terms of ASNs with risky IPs, the riskiest European ASNs belong to Turkish Telecom (#11) and French provider OVH (#15). While we are all familiar with Nigerian email scams, African ASNs are relatively underutilized, with top rankings going to Egypt’s TE Data (#32) and Telecom Algeria (#81). The top U.S. ASNs are Amazon (#21) and Digital Ocean (#25).
We took note of the fact that the overall number of risky IPs in the U.S. is quite large, despite not having any individual ASNs of highest-volume riskiness. To understand this, note that in China, where the internet is highly controlled and the largest providers are state owned, there are only 580 ASNs and the bulk of the associated IP addresses are concentrated in the largest ASNs, such as Chinanet. In contrast, there are over 16,000 ASNs in the U.S., and while none manage as many IPs as Chinanet, there are more “large” ASNs in the U.S. than in China, allowing risk to be more distributed across U.S.-based ASNs.
Ranking ASNs by Percentage of Risky IPs
For companies with a significant international presence, assessing risk at the country level of these very large ASNs with large numbers of legitimate IP addresses is likely too crude an approach. Another way to assess ASNs is by the percentage of IP addresses they contain that are risky. Chinanet has by far the most risky individual IP addresses, but it also manages the world’s largest AS with over 100 million IP addresses. The ~400,000 risky IPs are a relatively small percentage (0.4%) of the entire IP address space of the AS.
In contrast, if we consider ASNs where the largest percentage of associated IPs are risky, it is easier to make assessments of the entire ASN based on riskiness. We considered the 1,377 ASNs with more than 200 risky IPs and classified the 203 that have a percent riskiness of 2%, or higher by the associated 57 countries. Below, we show the countries with three or more “high-risk” ASNs:
We consider ASNs with these levels of riskiness to be potentially compromised at an endemic level. Russia and Brazil are clearly at the top of the list with over 30% of the potentially compromised ASNs. With a list of only 200, it is a manageable process to assess and make individual verdicts about these ASNs. Decreasing the percent risk cutoff to 1% increases the list size from 203 to 409.
We present the top ten ASNs by percent riskiness below:
|AS Name||Country||AS Number||Number of Risk-Scored IPs||Percent Risky|
|ADM Service Ltd.||Russia||AS48721||511||100%|
|Bralu Jurjanu biedriba||Latvia||AS198620||255||100%|
|GP4 TELECOM LTDA – ME||Brazil||AS265131||876||86%|
|PE Tetyana Mysyk||Ukraine||AS25092||510||50%|
|FOP Tokarchuk Oleksandr Stepanovich||Ukraine||AS48272||404||39%|
|Companhia Itabirana Telecomunicações Ltda||Brazil||AS28201||10228||36%|
|Maildez Serviços de Internet S S Ltda||Brazil||AS264488||681||30%|
Several ASNs seem completely compromised. These can easily be classified as dangerous and should be immediately blocked in their entirety. This prioritized list provides an opportunity to assess network risk versus business need. For example, while most U.S. companies might be reluctant to universally block German IPs simply based on country affiliation, the addition of a risk percentage metric makes it clear that traffic from AS200998 managed by Emgoldex should be dropped.
Most Risky ASNs Based on Malware Command and Control Association
The analysis thus far has been based on all of Recorded Future’s risk information. We could more conservatively look only at the IP addresses that have been explicitly associated with command and control (C2) malware infrastructure. IP addresses with the highest-levels of risk merits specific investigation. We look at the geographic distribution below:
The United States is clearly dominating here. While more “harmless” risky behavior like scanning and botnets may be focused in more “sketchy” locations, clearly, the efforts involved in mounting a malware campaign suggest a bias to investing in more “legitimate” locations like the United States, Hong Kong, Japan, Canada, and the UK. Threat actors investing in C2 infrastructure are motivated to ensure the malicious traffic looks as innocent as possible to network operators. Placing C2 servers in friendly looking locations decreases the likelihood of detection. Pure location-based rules aren’t sufficient in these cases, but clear assessments of C2-associated ASNs is possible. There are only 52 ASNs associated with 50 or more related C2 addresses and 122 ASNs associated with 20 or more C2 addresses. This is a manageable number to process and assess the legitimate business needs for traffic from these ASNs.
Below, we present the top ten ASNs based on the number of C2 associations:
|AS Name||Country||AS Number||Number of Risk-Scored IPs|
|eSited Solutions||United States||AS22552||1,221|
|Psychz Networks||United States||AS40676||1,193|
|Enzu Inc||United States||AS18978||692|
|DXTL Tseung Kwan O Service||Hong Kong||AS134548||632|
|Nobis Technology Group, LLC||United States||AS15003||407|
|Lost Oasis SARL||France||AS29075||264|
Simple web searching shows that some of these ASNs have been malicious for years and are still the source of malicious infrastructure. While we see a minimal Chinese presence here, we do note that the worst offender above, eSited Solutions, peers directly with China Telecom.
We also extracted IP addresses hard coded into malware samples (no domains) and performed downstream analysis of associated ASNs. A recent Recorded Future query yielded 24,219 unique IP addresses mapped to a variety of malware families. The below table shows the top five malware families as ordered by the associated number of IP addresses:
We present the geographic distribution of the these IP addresses below:
We see the largest number of malware-related IP addresses in the United States as we did with C2 IP addresses, but China is now a close second. Because these are IP addresses embedded in malware files, threat actors not only have competing pressures to select innocent geolocations, but also to choose infrastructure they are confident will be maintained. So, while the U.S. still leads, we see a large increase in China and the Republic of Korea, presumably because servers setup there by threat actors are more reliable.
Unsurprisingly, the top ASNs by number of IPs in this analysis are Chinanet and CNCgroup, as we saw in the overall top listing. However, we see some new interesting ASNs when sorting malware-related IPs by percent riskiness:
|AS Name||Country||AS Number||NumWithRisk||Percent Risky|
|Green Team Internet LTD||Israel||AS204078||40.00||5.21|
|BEST IDC by Best Internet Service Solution||Thailand||AS59374||201.00||3.74|
|408 Fl4 CATTOWER||Thailand||AS56309||198.00||3.52|
|Skype Communications Sarl||Luxembourg||AS198015||17.00||3.32|
|Skype Communications Sarl||Luxembourg||AS198097||18.00||2.34|
Impact on Network Security
For network professionals seeking to protect their networks, one simple approach to implement is to restrict traffic based on ASNs. The technical rules are trivial to put in place, but the devil is in the details of choosing which of the world’s nearly 60,000 ASNs to block. Data-driven tables like those presented in earlier sections provide prioritized lists to investigate and evaluate the risks and benefits for different ASNs and geographic regions.
For example, the total number of risky IPs alone is likely not a sufficient factor on which to base blocking rules. Consider the source of the largest number of risky IP addresses — Chinanet. There are tens of millions of legitimate websites and internet users hosted by that ASN, but also a large number of risky IPs. Organizations must assess the tradeoffs between the business interests in foreign locales and the likelihood of IPs at those locations being malicious. Depending on the nature of the business needs, perhaps an organization decides that the ~75,000 risky IP addresses in Venezuelan AS8048 outweighs the business value.
Percent riskiness of an ASN is a more immediately actionable list to evaluate. Due to the smaller size of these ASNs, the negative impact of blocking them is minimal. Factoring in the country of origin as an investigator moves to lower risk levels and can help in making assessments.
ASNs that are home to large numbers of C2 servers should attract specific review. For example, one could review whether a network has any legitimate traffic to eSited Solutions, Enzu, or Psychz ASNs and then block them, unless there is significant evidence of business solutions. These ASNs implicated in numerous risk-related activities for years will likely continue to be dangerous.
Testing Percent Risk Based ASN Blocking
ASN-based blocking makes sense if new IP addresses are emerging from these ASNs. If this is the case, putting these blocks in place can protect networks from. To test this, we took our IP risk list as it existed on June 15, 2017 and determined the percent riskiness of all ASNs, considering basic rules to block ASNs with various degrees of risk. We then looked at IPs presenting new risk-related content for the first time in the 30 days after June 15. The results for varying levels of riskiness are below:
For example, implementing a rule blocking the ten riskiest ASNs (percent risk of 25% or higher) pre-emptively blocks 1,722 IP addresses that were not identified as risky at the time of the blocking, but emerged as risky in the following 30 days. Similarly, blocking the riskiest 50 ASNs (percent risk of 6% or higher) blocks 11,977 IP addresses about to emerge with risk content. More aggressively, blocking the 200 worst ASNs (percent risk of 2% or more) blocks 124,390 IPs that will become risky.
These are large proportions of an AS to be risky, and illustrate some endemic AS security issues, typically with a smaller AS. In fact, 95% of the worst 200 ASNs involved 150,000 IP addresses or less, so, implementing these blocks will have minimal impact on legitimate business use.
New malicious IP addresses will continuously emerge as different weak spots on the web are exploited. Risk lists based on identifying malicious behavior and reporting it are critical, but will not protect networks from soon-to-be risky infrastructure. The reality is that much of that new infrastructure will arise from network locations associated with previously identified risk. Blocks based on selected ASNs can protect you from IP addresses before they show up on risk lists. Without data-driven approaches, it is extremely difficult to know which of the over 55,000 ASNs to preemptively block. Structured approaches based on historical risk levels can generate manageable lists of ASNs to assess and block.
Network security teams need structured approaches to establish blocking rules. Simple adoption of external threat feeds leaves organizations at the whims of the black boxes used to generate the lists. In contrast, large-scale historical threat data can alert researchers to geographic regions and ASNs that are likely to contain risky IPs, and that should be evaluated in the context of potential business value. ASNs with risk that outweighs their value can simply be blocked, and our experiment with our own risk content shows that new IP addresses will continue to emerge from clearly identified risky ASNs.