news
Did anyone recently notice that the Spamhaus XBL just got really big?
Yes, the XBL grew by over 50%! Over the past three weeks, some of our users have noticed that the XBL (CBL) database has grown substantially in size. There are two major reasons for this. 1) Increase from the Internet of Things (IoT) There has been a substantial increase...
In this guide
Jump to
Yes, the XBL grew by over 50%!
Over the past three weeks, some of our users have noticed that the XBL (CBL) database has grown substantially in size. There are two major reasons for this.
1) Increase from the Internet of Things (IoT)
There has been a substantial increase in the amount of IoT scanning. Which means that the operators of IoT malicious botnets are trying to grow their populations of hacked devices. We noticed an oddity where Argentina seems to have had more than their fair share of the increase. This may have something to do with compromises being found in devices common to Argentinian ISP customers. For example, a new IoT variant similar to Mirai called Satori has appeared and seems to be attacking the Huawei Home Gateway routers in particular.
The total number of IoT entries in the XBL has increased from just under 1 million to over 2.5 million.
As of today, Egypt is in the lead with approximately 1.2 million Mirai infections detected. This is suggestive that one or more ISPs there are distributing access modems/routers that are particularly vulnerable to this wave of Mirai attacks.
2) Increase from the Andromeda botnet takedown
The Andromeda Takedown on November 29, 2017 has resulted in the entire Andromeda (a/k/a Gamarue) Command and Control (C&C) network being taken over. We get a feed of this data, which has led to the number of entries to skyrocket from a few tens-of-thousands to now over 6 million.
The XBL data
Most Spamhaus XBL users query our zones via DNS and will not have noticed the size change as the data is presented one entry at a time. Those who have larger traffic or wish to do their own analysis of this real-time feed can subscribe to an rsync feed of the XBL.
As one can see, the growth of the XBL zone, which is normally seen as a bad-thing since it usually tracks the increase in compromised systems, can at times also point to something good. In this case, the dismantling of a large, notorious, botnet system.
««»»