Most Reliable Hosting Company Sites in June 2014

Rank Performance Graph OS Outage
hh:mm:ss
Failed
Req%
DNS Connect First
byte
Total
1 Datapipe FreeBSD 0:00:00 0.008 0.121 0.018 0.037 0.055
2 Netcetera Windows Server 2012 0:00:00 0.008 0.064 0.071 0.156 0.293
3 Pair Networks FreeBSD 0:00:00 0.008 0.223 0.081 0.165 0.560
4 Hosting 4 Less Linux 0:00:00 0.008 0.196 0.125 0.247 0.435
5 Hyve Managed Hosting Linux 0:00:00 0.012 0.241 0.063 0.125 0.128
6 Kattare Internet Services Linux 0:00:00 0.012 0.194 0.126 0.253 0.530
7 Logicworks Linux 0:00:00 0.019 0.146 0.075 0.154 0.314
8 krystal.co.uk Linux 0:00:00 0.019 0.140 0.091 0.178 0.178
9 Swishmail FreeBSD 0:00:00 0.023 0.135 0.073 0.146 0.194
10 Aspserveur Linux 0:00:00 0.031 0.309 0.087 0.439 0.791

See full table

Datapipe had the most reliable hosting company site in June, with only two isolated failed requests. This is Datapipe's third victory so far this year, and the company also achieved second place in May. Datapipe has accrued an outstanding 100% uptime record over the past eight years, and consistently exhibits very fast connections times, regularly being one of the fastest sites we monitor. The only other hosting company to have reached first place this year is Qube who did so three times, equalling Datapipe.

Netcetera came second in June, also with only two failed requests, giving it the most reliable Windows-based hosting company site. Netcetera has been in the hosting business since 1996 and offers a 99.9% uptime guarantee, although in practice its site actually reached 99.99% uptime over the past year and 99.96% over nine years.

Pair Networks had the third most reliable hosting company site in June. Like Datapipe, their website is served using FreeBSD. As well as hosting websites, Pair Networks recently hosted a Girl Develop It workshop in Pittsburgh, which is where their own custom-built data centres reside.

Netcetera had the only Windows-based hosting company site to appear in the top ten in June, while three sites used FreeBSD and the remaining six used Linux. Downtime is only recorded when all of Netcraft's performance monitors simultaneously record an outage, hence why it is still possible to achieve 100% uptime even if a site fails to respond to an individual performance monitor.

Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

Information on the measurement process and current measurements is available.

Most Reliable Hosting Company Sites in May 2014

Rank Performance Graph OS Outage
hh:mm:ss
Failed
Req%
DNS Connect First
byte
Total
1 Qube Managed Services Linux 0:00:00 0.004 0.113 0.039 0.080 0.080
2 Datapipe FreeBSD 0:00:00 0.011 0.113 0.018 0.037 0.055
3 EveryCity SmartOS 0:00:00 0.015 0.100 0.066 0.133 0.133
4 Dinahosting Linux 0:00:00 0.015 0.259 0.091 0.182 0.182
5 Aspserveur Linux 0:00:00 0.019 0.289 0.085 0.413 0.750
6 Hosting 4 Less Linux 0:00:00 0.019 0.198 0.129 0.254 0.447
7 ServerStack Linux 0:00:00 0.022 0.085 0.076 0.151 0.151
8 Hyve Managed Hosting Linux 0:00:00 0.026 0.264 0.077 0.145 0.169
9 Pair Networks FreeBSD 0:00:00 0.026 0.231 0.082 0.167 0.571
10 Logicworks Linux 0:00:00 0.030 0.162 0.072 0.148 0.304

See full table

Qube had the most reliable hosting company site in May, with only one failed request. London-based Qube has performed remarkably well so far this year, fitting in with its vision to be the most reliable and trusted managed hosting company in the industry. As well as coming first three times so far this year, Qube also narrowly missed out on another first place in January.

With only three failed requests, Datapipe had the second most reliable hosting company site in May. Datapipe has also performed well this year, achieving first place results in both January and March; so far this year, only Qube and Datapipe have achieved first place. Over the past eight years, Datapipe has racked up an impressive 100% uptime record, and 99.994% since Netcraft started monitoring its website in June 2003 (downtime is only recorded when all of Netcraft's performance monitors simultaneously record an outage).

In third place, with four failed requests, was EveryCity, which has only been monitored by Netcraft since April. EveryCity started more than six years ago and its offices have been based near London's Tower Bridge ever since. Its primary datacenter is powered by 100% renewable energy and it offers various products and services, including public and private cloud hosting, dedicated servers, domain names, SSL certificate management, disaster recovery and content delivery.

The Linux operating system was used by seven of May's top ten hosting company websites, while two used FreeBSD. www.everycity.co.uk runs on SmartOS, which combines the ZFS file system, DTrace dynamic tracing, kernel-based virtual machines and Solaris Zones operating system-level virtualisation into a single operating system based on a community fork of OpenSolaris.

Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

Information on the measurement process and current measurements is available.

Most Reliable Hosting Company Sites in April 2014

Rank Performance Graph OS Outage
hh:mm:ss
Failed
Req%
DNS Connect First
byte
Total
1 Qube Managed Services Linux 0:00:00 0.004 0.105 0.036 0.074 0.074
2 Host Europe Linux 0:00:00 0.012 0.110 0.072 0.149 0.150
3 XILO Communications Ltd. Linux 0:00:00 0.015 0.202 0.066 0.131 0.226
4 Netcetera Windows Server 2012 0:00:00 0.015 0.065 0.071 0.157 0.295
5 New York Internet FreeBSD 0:00:00 0.015 0.145 0.071 0.148 0.555
6 ServerStack Linux 0:00:00 0.015 0.079 0.074 0.146 0.146
7 Datapipe FreeBSD 0:00:00 0.019 0.102 0.018 0.037 0.054
8 Swishmail FreeBSD 0:00:00 0.019 0.127 0.070 0.141 0.186
9 Logicworks Linux 0:00:00 0.019 0.149 0.071 0.148 0.299
10 Webzilla FreeBSD 0:00:00 0.023 0.127 0.071 0.140 0.355

See full table

Qube had the most reliable hosting company site in April, with only one failed request. The London-based managed hosting provider uses data centres in the UK, USA and Switzerland, all of which are ISO 27001 certified. This information security management system standard uses a three-stage external audit process to ensure the company has suitable security policies and risk treatment plans.

Qube (which stands for "Qualified By Experience") has performed rather well so far this year — it also had the most reliable hosting company site in February (with no failed requests), narrowly missed out on first place in January, and made 4th place in March. Qube provides a Virtual Data Centre cloud computing service powered by VMware vCloud, managed dedicated servers, and managed colocation in its Tier 3 central London data centre.

Host Europe had the second most reliable hosting company site in April, with three isolated failed requests from Netcraft's globally distributed performance collectors. The company has attained 100% uptime over the past six months, and 99.98% uptime over 12 months. The Host Europe Group also owns the largest domain name provider in the UK, 123-reg, which recently teamed up with Knowhow to offer domain and website building packages from Currys and PC World stores.

XILO Communications came third in April, with four failed requests. Its uptime over the past 12 months is an impressive 99.993%. Netcetera, New York Internet, and ServerStack also had only four failed requests, but with longer average connection times than XILO.

Half of April's top ten hosting company websites were served from Linux machines, including all of the top three. Four of the other sites used FreeBSD, and one used Windows Server 2012.

Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

Information on the measurement process and current measurements is available.

Phishers find Microsoft Azure 30-day trial irresistible!

Fraudsters have taken to Microsoft Azure to deploy phishing sites, taking advantage of Microsoft's free 30-day trial.

Free hosting!

In order to get a phishing site hosted at Azure, the fraudster has several options: steal the credentials for a Microsoft account, compromise a virtual machine running at Azure, or use Microsoft’s free trial which provides $200 of credit. Given the number of subdomains registered explicitly for phishing, it is unlikely that many fraudsters are exploiting legitimate customers’ virtual machines.

Free subdomains!

Microsoft Azure offers free subdomains to users: azurewebsites.net for its Azure Web Sites service and cloudapp.net for Cloud Apps and virtual machines. Almost twice as many phishing sites used azurewebsites.net rather than cloudapp.net, perhaps reflecting the ease-of-use of Azure Web Sites. The remainder of the phishing sites are accessed using their IP addresses or custom domains.

An Apple phishing site on itune-billing2update-ssl-apple.azurewebsites.net (Site Report).

Many of the subdomains are clearly registered with the intention of phishing; the table below includes some of the most egregious examples targeting well-known institutions.

SubdomainTarget
itune-billing2update-ssl-apple.azurewebsites.netApple
paypalscurity.azurewebsites.netPayPal
www22online-americanexpress.azurewebsites.netAmerican Express
3seb-verifiedbyvisa.azurewebsites.netVisa
login-comcastforceauthn.azurewebsites.netComcast
cielo-2014.cloudapp.netCielo

Free SSL certificate!

Microsoft Azure Web Sites also offers fraudsters the ability to use an SSL certificate. All subdomains of azurewebsites.net are automatically accessible via HTTPS using a *.azurewebsites.net SSL certificate. The Apple phishing site featured below includes mixed content, indicating it was probably not designed with SSL in mind despite its subdomain: itune-billing2update-ssl-apple. Phishing sites that make proper use of the wildcard SSL certificate may be able to instil more trust than those that do not.

An SSL certificate on itune-billing2update-ssl-apple.azurewebsites.net (Site Report).

SSL certificate is irrevocable!

The Baseline Requirements that forms part of Mozilla's CA policy suggests that the SSL certificate must be revoked within 24 hours: "The CA SHALL revoke a Certificate within 24 hours if one or more of the following occurs: [..] [t]he CA is made aware that a Wildcard Certificate has been used to authenticate a fraudulently misleading subordinate Fully-Qualified Domain Name". However, Microsoft itself issued the SSL certificate from its sub-CA of Verizon Business and has chosen not to revoke it. Moreover, the SSL certificate does not include an OCSP responder URL and is not served with a stapled response (which is also in violation of the Baseline Requirements) and consequently the SSL certificate is irrevocable in some major browsers, particularly Firefox.

Free email addresses!

Fraudsters are also using Microsoft-provided free email addresses (at live.com, hotmail.com, and outlook.com) to receive and store stolen phishing credentials. Fraudsters commonly use phishing kits to quickly deploy phishing sites — before deployment, the fraudster configures the phishing kit with his email address. If a victim is tricked by the phishing site into providing his credentials, they are sent back to the fraudster's email address.

Free anonymising proxy!

One fraudster used Azure to proxy his internet traffic when accessing the phishing site, but was exposed when he used the same email address in the phishing kit as he used on his Facebook profile. The fraudster left the log file that records visits to the phishing site accessible to the public. The first two entries in the log, which preceded all other accesses by several hours, were from Microsoft Azure IP addresses. It is likely these correspond to the fraudster checking his phishing site was ready to be sent out to would-be victims.

1  137.117.104.222  -  2014-3-27 @ 02:56:03
2  137.117.104.222  -  2014-3-27 @ 02:57:16
3  109.XXXXXXXXX  -  2014-3-27 @ 11:22:26
4  212.XXXXXXXXX  -  2014-3-27 @ 11:39:47
5  62.XXXXXXXXXXX  -  2014-3-27 @ 11:39:57
6  72.XXXXXXXX  -  2014-3-27 @ 11:40:02
7  64.XXXXXXXXXX  -  2014-3-27 @ 11:40:04
8  37.XXXXXXXXXX  -  2014-3-27 @ 11:40:20
9  194.XXXXXXXXXX  -  2014-3-27 @ 11:47:18
10 194.XXXXXXXXXX  -  2014-3-27 @ 11:47:20
11 89.XXXXXXXXX  -  2014-3-27 @ 11:49:50
12 65.XXXXXXXXXX  -  2014-3-27 @ 11:49:54
13 92.XXXXXXXXX  -  2014-3-27 @ 11:49:56
14 37.XXXXXXXXXX  -  2014-3-27 @ 11:51:20
15 94.XXXXXXXXXX  -  2014-3-27 @ 11:51:24
16 62.XXXXXXXXXXX  -  2014-3-27 @ 11:51:26

The sting

However, Microsoft may yet have a trick up its sleeve: customers must provide a phone number and credit card details in order to register for the trial. Whilst the credit card details could have been stolen in a previous phishing attack, physical access to a phone is required in order to register an account. This may prove to be the fraudsters' downfall — in serious cases, information gathered from the fraudsters mobile phone could be used as evidence subject to the phone company's cooperation and local police involvement.

Netcraft's Domain Registration Risk service can be used to pre-empt fraud by highlighting domains or subdomains that are deceptively similar to legitimate websites run by banks and other institutions that are commonly targeted by fraudsters.

Most Reliable Hosting Company Sites in March 2014

Rank Performance Graph OS Outage
hh:mm:ss
Failed
Req%
DNS Connect First
byte
Total
1 Datapipe FreeBSD 0:00:00 0.011 0.081 0.018 0.037 0.055
2 www.choopa.com Linux 0:00:00 0.011 0.163 0.074 0.157 0.204
3 ReliableServers.com Linux 0:00:00 0.015 0.177 0.075 0.154 0.199
4 Qube Managed Services Linux 0:00:00 0.019 0.095 0.036 0.076 0.076
5 Hyve Managed Hosting Linux 0:00:00 0.019 0.230 0.064 0.127 0.131
6 Anexia Linux 0:00:00 0.019 0.232 0.089 0.411 0.685
7 Bigstep Linux 0:00:00 0.022 0.244 0.065 0.177 0.209
8 Webzilla unknown 0:00:00 0.026 0.124 0.070 0.138 0.393
9 Netcetera Windows Server 2012 0:00:00 0.030 0.059 0.072 0.158 0.291
10 ServerStack Linux 0:00:00 0.030 0.081 0.075 0.148 0.148

See full table

Managed services provider Datapipe had the most reliable hosting company site in March, closely followed by Choopa in second place. Both of the top two hosting company sites experienced three failed requests, and therefore the tie for first place was broken by analysing average connection times. Datapipe had the lowest average connection time within the top ten of 18ms and therefore ranked in first place.

Datapipe has a 100% uptime record which now stretches back over eight years; its last outage occurred back in March 2006. Over this time Datapipe's infrastructure has proved it can withstand the brutal forces of nature, surviving several hurricanes, typhoons and a snow storm. Along with 100% uptime, Datapipe has a low proportion of failed requests which has led to them ranking in first place many times over the years.

Second-place Choopa is based in a data centre in Piscataway, New Jersey and additionally has infrastructure in Los Angeles, Amsterdam, and Tokyo. Choopa describes its infrastructure's architecture as redundant with no single point of failure, and has backed this up with a 100% Uptime SLA plus a 0% Packet Loss Guarantee within its network. Choopa offers IPv6 throughout its entire network using a dual stack approach — avoiding the need to tunnel over IPv4. Recently Choopa has launched its own SSD VPS service via a new brand Vultr.

In third place with four failed requests is ReliableServers which lists reliability as its number 1 policy. ReliableServers is based in New Jersey and purchases server racks and network bandwidth from Choopa in Piscataway which hooks its servers directly into Choopa's network. ReliableServers offers Dedicated hosting with a 100% uptime guarantee.

Elsewhere in the table Webzilla made its first appearance in the top ten, which may be a result of its recent infrastructure upgrades. Webzilla launched in 2005 and offers a range of hosting services including dedicated, cloud, colocation and CDN.

Linux powers almost all the hosting company sites in the top 10. The exceptions are FreeBSD running Datapipe's site in first place and Windows Server 2012 running Netcetera's site in ninth place.

Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

Information on the measurement process and current measurements is available.

WordPress hosting: Do not try this at home!

Compromised WordPress blogs were used to host nearly 12,000 phishing sites in February. This represents more than 7% of all phishing attacks blocked during that month, and 11% of the unique IP addresses that were involved in phishing.

WordPress blogs were also responsible for distributing a significant amount of web-hosted malware — more than 8% of the malware URLs blocked by Netcraft in February were on WordPress blogs, or 19% of all unique IP addresses hosting malware.

WordPress is the most common blogging platform and content management system in the world: Netcraft's latest survey found nearly 27 million websites running WordPress, spread across 1.4 million different IP addresses and 12 million distinct domain names. Many of these blogs are vulnerable to brute-force password guessing attacks by virtue of the predictable location of the administrative interface and the still widespread use of the default "admin" username.

But remarkably, not a single phishing site was hosted on Automattic's own WordPress.com service in February. WordPress.com hosts millions of blogs powered by the open source WordPress software. Customers can purchase custom domain names to use for their blogs, or choose to register free blogs with hostnames like username.wordpress.com.

Automattic's founder, Matt Mullenweg, was one of the original authors of WordPress when it was released in 2003. Automattic later handed the WordPress trademark to the WordPress Foundation in 2010, but still contributes to the development of WordPress. Such familiarity with the product likely explains why blogs hosted at Automattic are significantly more secure than average.

Bloggers can also go it alone — anybody can download the WordPress software from wordpress.org and deploy it on their own website, and some hosting companies also offer "one-click" installations to simplify the process. Bloggers who install WordPress on their own websites will often also be responsible for keeping the software secure and up-to-date. Unfortunately, in many cases, they do not.

Even well-known security experts can fall victim to security flaws in WordPress if it is not their core activity. For example, in 2007, the Computer Security Group at the University of Cambridge found their own Light Blue Touchpaper blog had been compromised through several WordPress vulnerabilities.

Versions of WordPress after 3.7 are now able to automatically update themselves, provided the WordPress files are writable by the web server process. This has its own security trade-off, however, as an attacker exploiting a new and unreported vulnerability (a zero-day) that has the ability to write files will have free rein over the whole WordPress installation — an attacker could even modify the behaviour of WordPress itself to disable any future automatic security updates.

Insecure plugins

Over its lifetime, WordPress has been plagued by security issues both in its core code and in the numerous third-party plugins and themes that are available. One of the most widespread vulnerabilities this decade was discovered in the TimThumb plugin, which was bundled with many WordPress themes and consequently present on a large number of WordPress blogs. A subtle validation flaw made it possible for remote attackers to make the plugin download remote files and store them on the website. This allowed attackers to install PHP scripts on vulnerable blogs, ultimately facilitating the installation of malware and phishing kits. Similar vulnerabilities are still being exploited today.

Many of the phishing sites blocked in February were still operational this month, including this Apple iTunes phishing site hosted on a marketing company's website.

Dropzones for WordPress phishing content

Note that the above phishing content is stored in the blog's wp-includes directory, which is where the bulk of the WordPress application logic resides. More than a fifth of all phishing content hosted on WordPress blogs can be found within this directory, while another fifth resides in the wp-admin directory. However, the most common location is the wp-content directory, which is used by just over half of the phishing sites.

The wp-content directory is where WordPress stores user-supplied content, so it is almost always writable by the web server process. This makes it an obvious dropzone for malware and phishing content if a hacker is able to find and exploit a suitable vulnerability in WordPress, or indeed in any other web application running on the server. Shared hosting environments are particularly vulnerable if the file system permissions allow malicious users to write files to another user's wp-content directory. Some examples of directory structures used by phishing sites hosted in this directory on WordPress blogs include:

/wp-content/securelogin/webapps/paypal/
/wp-content/plugins/wordpress-importer/languages/image/Google/Google/
/wp-content/uploads/.1/Paypal/us/webscr.htm

The wp-includes and wp-admin directories can also be written to by other users or processes if the WordPress installation has not been suitably hardened. Failing to harden a WordPress installation and keep all of its plugins up to date could result in a site being compromised and used to carry out phishing attacks. Enabling automatic background updates is an easy way to ensure that a WordPress blog is kept up-to-date, but a significant trade off is that every WordPress file must be writable by the web server user.

Some other examples of directory structures seen in phishing sites hosted on WordPress blogs include:

/wp-includes/alibaba_online/
/wp-includes/www.paypal.com.fr.cgi.bin.webscr.cmd.login.submit.login/
/wp-includes/js/online.lloydsbank.co.uk/

/wp-admin/js/www.credit-mutuel.fr/
/wp-admin/maint/RBS-Card/index.html
/wp-admin/Googledoc/

Interestingly, the wp-admin directory appears to be the favourite location for Apple phishing sites – these make up more than 60% of all phishing sites found in this directory.

Vulnerable WordPress blogs can also be used for other nefarious purposes. A botnet of more than 162,000 WordPress blogs (less than 1% of all WordPress blogs) was recently involved in a distributed denial of service (DDoS) attack against a single website. Attackers exploited the Pingback feature in these WordPress blogs (which is enabled by default) to flood the target site with junk HTTP requests, causing it to be shut down by its hosting company.

A quarter of the phishing sites hosted on WordPress blogs in February targeted PayPal users, followed by 17% which targeted Apple customers.

Please contact us (sales@netcraft.com) for pricing or further details about any of our anti-phishing and web application security testing services.