Recent Posts


« | Main | »

Some stats – IP space used by Web Miscreants

By Dale Reagan | May 25, 2010

You should expect that your data will be somewhat different – after reviewing some log data here is what I am seeing for the past 12 months or so – note caveats:

Top Web/Network Abusers by Country & Day of Week

Day of Week Country Count
Mon US 223
Mon CA 55
Mon CN 37
Mon RU 34
Mon KR 33
Tue US 190
Tue CN 42
Tue CA 35
Tue KR 26
Tue DE 24
Wed US 183
Wed CN 91
Wed CA 51
Wed DE 36
Wed KR 33
Thu US 184
Thu CA 46
Thu CN 43
Thu GB 25
Thu DE 24
Fri US 190
Fri CA 41
Fri CN 37
Fri DE 34
Fri UA 32
Sat US 182
Sat CA 47
Sat CN 35
Sat RU 32
Sat KR 32
Sun US 202
Sun CN 46
Sun CA 45
Sun DE 27
Sun NL 24

The Top 20 –  Country Web abuse (by day of week – USA leads the pack followed by Canada and China…)

Day of Week Country Count
1 Mon US 223
2 Sun US 202
3 Tue US 190
4 Fri US 190
5 Thu US 184
6 Wed US 183
7 Sat US 182
8 Wed CN 91
9 Mon CA 55
10 Wed CA 51
11 Sat CA 47
12 Thu CA 46
13 Sun CN 46
14 Sun CA 45
15 Thu CN 43
16 Tue CN 42
17 Fri CA 41
18 Mon CN 37
19 Fri CN 37
20 Wed DE 36

The data from Team Cymru is similar to the data above (most miscreant activity seems to originate in the US) – I will guess that a review of web activity for many web servers would be similar (during the past 12 months…)

So, which cities (world wide) lead the pack and where in the US are these miscreants connecting from?  Based on my limited data-set the Country/city line-up is:

Country-State City
1 USA-WA Seattle
2 KR Seoul
3 CN Beijing
4 USA-TX Houston
5 NL Amsterdam
6 CA Montreal
7 RU Moscow
8 USA-WA Bellevue
9 USA-CA San_Jose

Using the first two octets of the miscreant IP connections (i.e. A.B.x.x) for these cities I find nine (9) IP sub-nets (out of ~180 IP addresses which seem to be in the Seattle area) are the source – Amazon Web Services (AWS) IP space was part of this pack for Seattle (I am hoping that there are fewer AWS problems now than when the service first came online…) There seems to be a concentration amongst major ISPs in the other US cities listed (not surprising.)  If it were possible then my guess would be that a detailed review would show that much of the miscreant activity from US IP space is actually controlled by bot-nets which (I will guess again) are probably actually being run from foreign countries.  Another thought (based on  the IP ‘hub space’) is that larger ISPs probably have a significant number of compromised servers/Virtual Machines…   I was a bit surprised to find so much SPAM/hack activity that seems to originate in Canada.

12 Months – Miscreant IP behaviour categories

SPAM ~1700
Hacking ~1600

Since implementing both GEO-IP restraints (in early 2010) along with CAPTCHA and IP address blocking web ‘post SPAM’ has dropped to near zero (SPAM posting attempts continue – most of the web SPAM in this data was delivered from non-US IP space.)   I expect the ‘hack count’ to grow – along with the list of blocked IP addresses…

And yes, I am blocking ~4000 IP addresses – actually a bit more since I block entire sub-nets in some cases.

Topics: Computer Technology, System and Network Security, Unix-Linux-Os, Web Problem Solving, Web Technologies | Comments Off on Some stats – IP space used by Web Miscreants

Comments are closed.

YOUR GeoIP Data | Ip:
Continent: NA | Country Code: US | Country Name: United States
Region: | State/Region Name: | City:
(US only) Area Code: 0 | Postal code/Zip:
Latitude: 38.000000 | Longitude: -97.000000
Note - if using a mobile device your physical location may NOT be accurate...

Georgia-USA.Com - Web Hosting for Business