IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 20, NO. 1, FEBRUARY 2012
Abnormally Malicious Autonomous Systems
and Their Internet Connectivity
Craig A. Shue, Andrew J. Kalafut, and Minaxi Gupta
Abstract—While many attacks are distributed across botnets, investigators and network operators have recently identiﬁed malicious networks through high proﬁle autonomous system (AS) depeerings and network shutdowns. In this paper, we explore
whether some ASs indeed are safe havens for malicious activity. We look for ISPs and ASs that exhibit disproportionately high malicious behavior using 10 popular blacklists, plus local spam data, and extensive DNS resolutions based on the contents of the blacklists. We ﬁnd that some ASs have over 80% of their routable IP address space blacklisted. Yet others account for large fractions of blacklisted IP addresses. Several ASs regularly peer with ASs associated with signiﬁcant malicious activity. We also ﬁnd that malicious ASs as a whole differ from benign ones in other properties not obviously related to their malicious activities, such as more frequent connectivity changes with their BGP peers. Overall, we conclude that examining malicious activity at AS granularity can unearth networks with lax security or those that harbor cybercrime.
Index Terms—Autonomous systems (ASs), security.
HE INTERNET is plagued by malicious activity,
from spam and phishing to malware and denial-of-service (DoS) attacks. Much of it thrives on armies of compromised hosts, or botnets, which are scattered throughout the Internet. However, malicious activity is not necessarily evenly distributed across the Internet: Some networks may employ
lax security, resulting in large populations of compromised
machines, while others may tightly secure their network and
not have any malicious activity. Furthermore, some networks
may exist solely to engage in malicious activity. Several recent ISP enforcement actions, such as the Atrivo and McColo autonomous system (AS) depeerings ,  and the FTC closure of Pricewert networks , highlight that there are networks that exist simply to launch attacks. In this paper, we examine Manuscript received June 11, 2010; revised January 31, 2011; accepted May 16, 2011; approved by IEEE/ACM TRANSACTIONS ON NETWORKING Editor Z. M. Mao. Date of publication June 02, 2011; date of current version February 15, 2012. This work was supported by a contractor of United States Government under Contract DE-AC05-000OR22725 with the United States Department of Energy and by the National Science Foundation (NSF) under Grant CNS-0831988.
C. A. Shue is with the Cyberspace Sciences and Information Intelligence Research Group, Oak Ridge National Laboratory, Oak Ridge, TN 37830 USA (e-mail: firstname.lastname@example.org).
A. J. Kalafut is with the School of Computing and Information Systems, Grand Valley State University, Allendale, MI 49401 USA (e-mail: email@example.com).
M. Gupta is with the School of Informatics and Computing, Indiana University, Bloomington, IN 47401 USA (e-mail: firstname.lastname@example.org). Color versions of one or more of the ﬁgures in this paper are available online at http://ieeexplore.ieee.org.
Digital Object Identiﬁer 10.1109/TNET.2011.2157699
whether we can ﬁnd malicious networks in a systematic manner using existing blacklists.
A systematic detection of disproportionately malicious networks can be used to build metrics that may be used to determine if a network is harboring a signiﬁcant amount of malicious activity. Such metrics may offer several practical beneﬁts. First, ISPs could use them to build identiﬁcation of malicious networks into their peering agreements. As an example, provider ISPs may use the metrics to require their customers to limit the amount of malicious activity in their networks to avoid harboring criminals. ISPs could also use the metrics to determine the effectiveness of their efforts to combat abuse and compare themselves to...
References: IEEE/ACM Trans. Netw., vol. 9, no. 6, pp. 733–745, Dec. 2001.
IEEE INFOCOM, 2002, vol. 2, pp. 618–627.
 A. Feldmann, O. Maennel, Z. M. Mao, A. Berger, and B. Maggs, “Locating internet routing instabilities,” in Proc. ACM SIGCOMM, 2004,
 R. White, “Securing BGP through secure origin BGP (soBGP),” Internet Protocol J., vol. 6, no. 3, pp. 15–22, 2003.
study of spyware on the Web,” in Proc. NDSS, 2006, pp. 17–33.
Please join StudyMode to read the full document