blog
Networks hosting botnet C&Cs: Same players, same problems
With every Botnet Threat Update we publish, the same networks consistently appear in the Top 20 for hosting botnet command and control (C&C) servers. But why does this keep happening? In this Botnet Spotlight, we look into the root causes behind this persistent issue and what networks must do to break the cycle.
In this guide
Jump to
Over the years, we’ve observed the same networks consistently dominating the Top 20 for hosting botnet command and controllers (C&Cs). In the most recent Botnet Threat Update, Chinese-based providers Tencent and Alibaba traded places for the top two spots, with Alibaba ranking number one for the first time. Following close behind are some big industry players: Digital Ocean, Amazon, Hetzner, OVH and Microsoft. Peppered among these familiar names you find the lesser known providers: huawei.com, uninet.net.mx, neterra.net, contabo.de, colocrossing.com.
So, why do the same networks keep appearing?
In most cases, the issue is not due to neglect or a lack of care from Trust and Safety teams. Many of these teams are responsive to reported issues, despite being underresourced and operating under significant strain. No, the real problem lies at a management level within the organizations that own these networks.
A commitment from the top is needed
The responsibility for mitigating persistent malicious activity on networks ultimately lies with the leaders and decision makers.
Too often, leadership fails to act against malicious threats on a network. But, why is this the case? It’s often due to a number of common perceptions: that implementing certain controls will impact user experience, it will be too costly, or worst of all, that if it isn’t directly affecting the bottom line: why bother? The unfortunate truth is, changes are typically only made after an incident disrupts the entire network or legal requirements force action. But this reactive approach isn’t enough.
Effective network security demands a proactive, top down commitment from the leadership team and decision makers. Trust and Safety teams must be empowered with the support and resources they need to take informed preventative steps toward making the internet safer for users.
Breaking the cycle
For networks to address these recurring issues, preventative measures are where the low hanging fruit lies:
Robust customer verification: Providers experiencing repeated incidents of botnet C&Cs being hosted on their networks need to strengthen their sign up and vetting procedures. Over 12 years ago we shared some best practices for providers to control fraudulent sign ups; the majority of which we still recommend today:
- Verify user information with personal information e.g. email/phone number
- Verify payments and do not accept crypto currency or WebMoney
- Maintain a blocklist of abusive customers
- Have a strong Acceptable Use Policy or Terms of Service
- Check the customers IP address against various blocklists
Networks can - and should - exercise greater control over operators who fraudulently sign-up for a new service. And this responsibility also extends to ensuring that resellers are also following sound customer verification practices. Resellers that allow fraudulent signups or lack proper safeguards should not be welcome on your network.
Monitor activity: In some cases identifying fraudulent customers at sign-up can be almost impossible. However, by actively monitoring network traffic for patterns that do not normally occur with legitimate use, you may be able to detect abuse post sign up, and before you receive reports from third parties such as Spamhaus.
Keeping cybercriminals out of your network requires proactive effort, but dealing with the consequences when you ignore abuse is even more demanding. Once bad actors start to flood your network, stopping the abuse requires considerably more resources (both human and financial).
Failing to invest in the measures suggested risks overwhelming your teams, destroying customer confidence and compromising safety. The organizations of the size and reputation mentioned in this report should already have these practices in place.
Collaborate with the community
We are here to work with all organizations that endeavour to achieve this. For those operators that need support, we encourage you to reach out and work together with Spamhaus and the broader internet community to help address abuse on your network.