Spamhaus recently released their updated Q2 Botnet Threat Report. There is a lot of good data within the report detailing the heavy increase in Command and Control/Botnet threats as others have observed during 2020. We’ve spent some time detailing threats related to managing TLDs and so pertaining to this we will focus on a couple of points.
Key TLD Threat Observations*
.top has surged heavily in domains chosen for botnet operations now containing the second most number of known threats just behind all time most abused TLD, .com. Another TLD with a significant increase in known threats is .gq.
.de (Germany) is the only new country code top level domain to break into the top 20 most abused TLDs.
It’ worth noting that a few TLDs have made great progress in cleaning up their neighborhoods and these include .tw, .in, .top, .me, and .site all of which have dropped out of the top 20 in Spamhaus’s rankings.
The United States still hosts the largest amount of botnet C&Cs, demonstrating that geolocation alone is not enough to filter by, but Russia is working hard to challenge the US for that top spot. Also, there are a number of bad networks that show little interest in responding to reports. The worst being network providers many have not heard of. That being said, three well known cloud providers make it into the top 20 networks hosting C&C domains. It is of course worth noting that they host a significant number of sites each respectively.
You can read the full report from Spamhaus here.
*Spamhaus, it’s logo, and all content related to their research is Copyright The Spamhaus Project SLU.