LowEndBox - Cheap VPS, Hosting and Dedicated Server Deals

SpamHaus Botnet Report Highlights Some LowEnd Providers

BotnetSpamhaus’s 2021 Q2 Botnet Threat Update has been released and it’s interesting reading.

Overall, there has been a reduction in observed command and control (C&C) systems.  However, at regional and provider level, there is more variation.  Looking at the leading botnet C&C hosts, it’s not surprising that the world’s most connected countries (the US, Netherlands and other European nations, etc.) host the most.

.com continues to lead as the top TLD for C&C domains, but other “new domains” are catching up, perhaps because they’re largely disposable and less tightly regulated.  For example, .buzz is the third-leading TLD for botnet C&Cs, .cloud is #10, and .online is #16.

Among providers, DigitalOcean has emerged as the leading botnet C&C hoster.  The report notes that there was a rapid exodus from Amazon, perhaps due to better policing and improved reaction time.  That “market” needs to go somewhere, and apparently it moved to DigitalOcean (and to a lesser extent, Microsoft Azure).

Sharp-eyed readers will note some LowEnd hosts on the list (page 12).  This is actually a sort of backhanded compliment – while even digital criminals appreciate cheap VPS systems, a C&C node must have high uptime and a solid network given that the botnet is useless without.  So one might say that some demand customers are putting their “mission critical” systems on these providers.

It’s important to note that none of these hosts (large or small) is intentionally hosting botnet C&Cs.  Until identified on the client side, the C&C servers look like apps that are receiving and sending information from many different clients around the world – just like a popular web site or service.

Look for the next Spamhaus update in October.


No Comments

    Leave a Reply

    Some notes on commenting on LowEndBox:

    • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
    • Akismet is used for spam detection. Some comments may be held temporarily for manual approval.
    • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

    Your email address will not be published. Required fields are marked *