1. Most Reliable Hosting Company Sites in March 2014

    Rank Performance Graph OS Outage
    hh:mm:ss
    Failed
    Req%
    DNS Connect First
    byte
    Total
    1 Datapipe FreeBSD 0:00:00 0.011 0.081 0.018 0.037 0.055
    2 www.choopa.com Linux 0:00:00 0.011 0.163 0.074 0.157 0.204
    3 ReliableServers.com Linux 0:00:00 0.015 0.177 0.075 0.154 0.199
    4 Qube Managed Services Linux 0:00:00 0.019 0.095 0.036 0.076 0.076
    5 Hyve Managed Hosting Linux 0:00:00 0.019 0.230 0.064 0.127 0.131
    6 Anexia Linux 0:00:00 0.019 0.232 0.089 0.411 0.685
    7 Bigstep Linux 0:00:00 0.022 0.244 0.065 0.177 0.209
    8 Webzilla unknown 0:00:00 0.026 0.124 0.070 0.138 0.393
    9 Netcetera Windows Server 2012 0:00:00 0.030 0.059 0.072 0.158 0.291
    10 ServerStack Linux 0:00:00 0.030 0.081 0.075 0.148 0.148

    See full table

    Managed services provider Datapipe had the most reliable hosting company site in March, closely followed by Choopa in second place. Both of the top two hosting company sites experienced three failed requests, and therefore the tie for first place was broken by analysing average connection times. Datapipe had the lowest average connection time within the top ten of 18ms and therefore ranked in first place.

    Datapipe has a 100% uptime record which now stretches back over eight years; its last outage occurred back in March 2006. Over this time Datapipe's infrastructure has proved it can withstand the brutal forces of nature, surviving several hurricanes, typhoons and a snow storm. Along with 100% uptime, Datapipe has a low proportion of failed requests which has led to them ranking in first place many times over the years.

    Second-place Choopa is based in a data centre in Piscataway, New Jersey and additionally has infrastructure in Los Angeles, Amsterdam, and Tokyo. Choopa describes its infrastructure's architecture as redundant with no single point of failure, and has backed this up with a 100% Uptime SLA plus a 0% Packet Loss Guarantee within its network. Choopa offers IPv6 throughout its entire network using a dual stack approach — avoiding the need to tunnel over IPv4. Recently Choopa has launched its own SSD VPS service via a new brand Vultr.

    In third place with four failed requests is ReliableServers which lists reliability as its number 1 policy. ReliableServers is based in New Jersey and purchases server racks and network bandwidth from Choopa in Piscataway which hooks its servers directly into Choopa's network. ReliableServers offers Dedicated hosting with a 100% uptime guarantee.

    Elsewhere in the table Webzilla made its first appearance in the top ten, which may be a result of its recent infrastructure upgrades. Webzilla launched in 2005 and offers a range of hosting services including dedicated, cloud, colocation and CDN.

    Linux powers almost all the hosting company sites in the top 10. The exceptions are FreeBSD running Datapipe's site in first place and Windows Server 2012 running Netcetera's site in ninth place.

    Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

    From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

    Information on the measurement process and current measurements is available.

    Posted by Netcraft on 3rd April, 2014 in Hosting, Performance

  2. April 2014 Web Server Survey

    In the April 2014 survey we received responses from 958,919,789 sites — 39 million more than last month.

    Microsoft made the largest gain this month, with nearly 31 million additional sites boosting its market share by 1.9 percentage points. IIS is now used by a third of the world's websites. Although this is not Microsoft's largest ever market share (it reached 37% in October 2007), this is the closest it has ever been to Apache's leading market share, leaving Apache only 4.7 points ahead. Although Apache gained 6.9 million sites, this was not enough to prevent its market share falling by 0.87 to 37.7%. nginx, which gained 3.1 million sites, also lost some of its market share.

    More than 70% of this month's new IIS-powered websites are hosted in the US, followed by 22% in China. Nearly 20 million of the new IIS sites in the US are hosted by a single company, Nobis Technology Group, which was also responsible for much of Microsoft's growth in February. A smaller amount of Microsoft IIS growth was also seen on the Windows Azure platform (which will be renamed to Microsoft Azure on April 3), where the total number of active sites has grown by 25% since February, when we compared the platform against Amazon AWS. 84% of all active sites hosted on the Azure platform are running Microsoft web server software.

    Many of the new IIS sites hosted by Nobis Technology Group feature similar content and form part of a Chinese link farm. Link farming is often an attempt to influence search engine results, and each individual site within a link farm is typically of little interest to a human. Netcraft's active sites metric therefore provides a better idea of how many websites are actively managed rather than being automatically generated en mass, such as link farm content and domain holding pages. Of the 114 million sites hosted by Nobis, only a fifth are counted as active sites.

    In terms of active sites, Apache remains in a much stronger position with a 52% share of the market, compared with Microsoft's 11%. A significantly higher proportion of Apache sites are active: 26% of all Apache sites were deemed to be active, whereas only 6% of Microsoft's were. nginx takes a 14% share of the active sites market, putting it 3 points ahead of Microsoft.

    Apache also fares well amongst the million busiest sites, where there is intrinsically very little interference from domain holding pages, link farms and other web spam. Here Apache takes a 53% share of the market, while nginx has 18% and Microsoft has 12%. Although only 3% of the top million sites use Google web server software, Google's dominance amongst the very busiest sites give it a presence on 8 of the top 10 sites.

    Both Apache and nginx were affected by security vulnerabilities which were resolved during March, whereas Microsoft IIS has yet to be affected by publicly-known security issues this year.

    The latest version of Apache (2.4.9) was released on March 17. The Apache Software Foundation describes this as representing fifteen years of innovation by the project, and this major release of the 2.4 stable branch is recommended over all previous releases. Nevertheless, it is still common for many websites to use the legacy 2.2 branch of releases, or even older versions. Apache 2.4.9 is primarily a security and bug fix release, although it also includes the changes introduced in 2.4.8, which was not actually released. A workaround for a bug in older versions of OpenSSL, which prevented the release of 2.4.8, has been included in 2.4.9.

    Although Apache 2.4.8 was not released, the development version (Apache/2.4.8-dev) was found on 675 sites during this survey, which ran in March. Nearly all of these sites were running on FreeBSD servers which belonged to various Apache projects, mostly Apache HTTPD and Apache OpenOffice.

    The stable branch of nginx was updated twice during March. Two bugs were resolved in nginx 1.4.6, which was released on March 4. nginx 1.4.7 was then released on March 18, addressing another bug and a heap buffer overflow vulnerability. This security vulnerability affected nginx's SPDY module, where a specially crafted request could allow a remote attacker to execute arbitrary code on a vulnerable web server. nginx is notable for its SPDY support, which is used extensively by CloudFlare and also by Automattic, which hosts millions of WordPress blogs and co-sponsored the development of the ngx_http_spdy_module. The same SPDY vulnerability also affected the mainline branch of nginx, which was resolved with the release of nginx 1.5.12.

    Many of the new generic top level domains (gTLDs) are starting to appear in Netcraft's Web Server Survey in significant numbers. For example, the previous survey saw only one website using the .guru gTLD, whereas this month's survey (which ran during March) found 36 thousand. Other gTLDs which have shown significant growth since last month's survey include .photography, .today, .tips, .technology, .directory, .land, .gallery, .estate and .singles.

    Amongst established TLDs, the number of sites using the .ga country code top level domain grew by 140% this month. The My GA website allows .ga domains to be registered for free from between 1 and 12 months, which has no doubt helped towards their goal of increasing the awareness of Gabon across the globe. The .ga ccTLD is administered by the Agence Nationale des Infrastructures Numériques et des Fréquences (ANINF) in Libreville, Gabon, while the registration process is provided by Freenom, who also provide free domain registrations for the more popular .tk ccTLD. Registered Freenom users are allowed an unlimited number of domain name renewals on both the .ga and .tk d domains, while paying customers can choose to register domains for as long as 10 years in one go and can automatically renew the registration.

    Free and easily-registerable domain names are obviously attractive to fraudsters: During February, Netcraft blocked nearly 1,500 unique phishing sites hosted on .ga domains alone, and this figure jumped to more than 2,400 in March. The vast majority of these phishing attacks targeted Chinese companies, particularly the Taobao marketplace and the Alipay online payment escrow service.





    DeveloperMarch 2014PercentApril 2014PercentChange
    Apache354,956,66038.60%361,853,00337.74%-0.87
    Microsoft286,014,56631.10%316,843,69533.04%1.94
    nginx143,095,18115.56%146,204,06715.25%-0.31
    Google20,960,4222.28%20,983,3102.19%-0.09
    (more...)

    Posted by Netcraft on 2nd April, 2014 in Web Server Survey

  3. WordPress hosting: Do not try this at home!

    Compromised WordPress blogs were used to host nearly 12,000 phishing sites in February. This represents more than 7% of all phishing attacks blocked during that month, and 11% of the unique IP addresses that were involved in phishing.

    WordPress blogs were also responsible for distributing a significant amount of web-hosted malware — more than 8% of the malware URLs blocked by Netcraft in February were on WordPress blogs, or 19% of all unique IP addresses hosting malware.

    WordPress is the most common blogging platform and content management system in the world: Netcraft's latest survey found nearly 27 million websites running WordPress, spread across 1.4 million different IP addresses and 12 million distinct domain names. Many of these blogs are vulnerable to brute-force password guessing attacks by virtue of the predictable location of the administrative interface and the still widespread use of the default "admin" username.

    But remarkably, not a single phishing site was hosted on Automattic's own WordPress.com service in February. WordPress.com hosts millions of blogs powered by the open source WordPress software. Customers can purchase custom domain names to use for their blogs, or choose to register free blogs with hostnames like username.wordpress.com.

    Automattic's founder, Matt Mullenweg, was one of the original authors of WordPress when it was released in 2003. Automattic later handed the WordPress trademark to the WordPress Foundation in 2010, but still contributes to the development of WordPress. Such familiarity with the product likely explains why blogs hosted at Automattic are significantly more secure than average.

    Bloggers can also go it alone — anybody can download the WordPress software from wordpress.org and deploy it on their own website, and some hosting companies also offer "one-click" installations to simplify the process. Bloggers who install WordPress on their own websites will often also be responsible for keeping the software secure and up-to-date. Unfortunately, in many cases, they do not.

    Even well-known security experts can fall victim to security flaws in WordPress if it is not their core activity. For example, in 2007, the Computer Security Group at the University of Cambridge found their own Light Blue Touchpaper blog had been compromised through several WordPress vulnerabilities.

    Versions of WordPress after 3.7 are now able to automatically update themselves, provided the WordPress files are writable by the web server process. This has its own security trade-off, however, as an attacker exploiting a new and unreported vulnerability (a zero-day) that has the ability to write files will have free rein over the whole WordPress installation — an attacker could even modify the behaviour of WordPress itself to disable any future automatic security updates.

    Insecure plugins

    Over its lifetime, WordPress has been plagued by security issues both in its core code and in the numerous third-party plugins and themes that are available. One of the most widespread vulnerabilities this decade was discovered in the TimThumb plugin, which was bundled with many WordPress themes and consequently present on a large number of WordPress blogs. A subtle validation flaw made it possible for remote attackers to make the plugin download remote files and store them on the website. This allowed attackers to install PHP scripts on vulnerable blogs, ultimately facilitating the installation of malware and phishing kits. Similar vulnerabilities are still being exploited today.

    Many of the phishing sites blocked in February were still operational this month, including this Apple iTunes phishing site hosted on a marketing company's website.

    Dropzones for WordPress phishing content

    Note that the above phishing content is stored in the blog's wp-includes directory, which is where the bulk of the WordPress application logic resides. More than a fifth of all phishing content hosted on WordPress blogs can be found within this directory, while another fifth resides in the wp-admin directory. However, the most common location is the wp-content directory, which is used by just over half of the phishing sites.

    The wp-content directory is where WordPress stores user-supplied content, so it is almost always writable by the web server process. This makes it an obvious dropzone for malware and phishing content if a hacker is able to find and exploit a suitable vulnerability in WordPress, or indeed in any other web application running on the server. Shared hosting environments are particularly vulnerable if the file system permissions allow malicious users to write files to another user's wp-content directory. Some examples of directory structures used by phishing sites hosted in this directory on WordPress blogs include:

    /wp-content/securelogin/webapps/paypal/
    /wp-content/plugins/wordpress-importer/languages/image/Google/Google/
    /wp-content/uploads/.1/Paypal/us/webscr.htm

    The wp-includes and wp-admin directories can also be written to by other users or processes if the WordPress installation has not been suitably hardened. Failing to harden a WordPress installation and keep all of its plugins up to date could result in a site being compromised and used to carry out phishing attacks. Enabling automatic background updates is an easy way to ensure that a WordPress blog is kept up-to-date, but a significant trade off is that every WordPress file must be writable by the web server user.

    Some other examples of directory structures seen in phishing sites hosted on WordPress blogs include:

    /wp-includes/alibaba_online/
    /wp-includes/www.paypal.com.fr.cgi.bin.webscr.cmd.login.submit.login/
    /wp-includes/js/online.lloydsbank.co.uk/
    
    /wp-admin/js/www.credit-mutuel.fr/
    /wp-admin/maint/RBS-Card/index.html
    /wp-admin/Googledoc/

    Interestingly, the wp-admin directory appears to be the favourite location for Apple phishing sites – these make up more than 60% of all phishing sites found in this directory.

    Vulnerable WordPress blogs can also be used for other nefarious purposes. A botnet of more than 162,000 WordPress blogs (less than 1% of all WordPress blogs) was recently involved in a distributed denial of service (DDoS) attack against a single website. Attackers exploited the Pingback feature in these WordPress blogs (which is enabled by default) to flood the target site with junk HTTP requests, causing it to be shut down by its hosting company.

    A quarter of the phishing sites hosted on WordPress blogs in February targeted PayPal users, followed by 17% which targeted Apple customers.

    Please contact us (sales@netcraft.com) for pricing or further details about any of our anti-phishing and web application security testing services.

    Posted by Paul Mutton on 24th March, 2014 in Hosting, Security

  4. EA Games website hacked to steal Apple IDs

    An EA Games server has been compromised by hackers and is now hosting a phishing site which targets Apple ID account holders.

    The compromised server is used by two websites in the ea.com domain, and is ordinarily used to host a calendar based on WebCalendar 1.2.0. This version was released in September 2008 and contains several security vulnerabilities which have been addressed in subsequent releases. For example, CVE-2012-5385 details a vulnerability which allows an unauthenticated attacker to modify settings and possibly execute arbitrary code. It is likely that one of these vulnerabilities was used to compromise the server, as the phishing content is located in the same directory as the WebCalendar application.

    The phishing site attempts to trick a victim into submitting his Apple ID and password. It then presents a second form which asks the victim to verify his full name, card number, expiration date, verification code, date of birth, phone number, mother's maiden name, plus other details that would be useful to a fraudster. After submitting these details, the victim is redirected to the legitimate Apple ID website at https://appleid.apple.com/cgi-bin/WebObjects/MyAppleId.woa/

    The compromised server is hosted within EA's own network. Compromised internet-visible servers are often used as "stepping stones" to attack internal servers and access data which would otherwise be invisible to the internet, although there is no obvious outward facing evidence to suggest that this has happened.

    In this case, the hacker has managed to install and execute arbitrary PHP scripts on the EA server, so it is likely that he can at least also view the contents of the calendar and some of the source code and other data present on the server. The mere presence of old software can often provide sufficient incentive for a hacker to target one system over another, and to spend more time looking for additional vulnerabilities or trying to probe deeper into the internal network.

    As well as hosting phishing sites, EA Games is also the target of phishing attacks which try to steal credentials from users of its Origin digital distribution platform. For example, the following site — which has been online for more than a week — is attempting to steal email addresses, passwords and security question answers.

    EA's Origin servers also came under attack earlier this year, causing connectivity and login problems in various EA games. A tweet by @DerpTrolling appeared to claim responsibility for the outages, while also suggesting that it was a distributed denial of service attack which caused the problems.

    ("Gaben" is a reference to Gabe Newell, managing director of Valve Corporation, which owns the competing Steam digital distribution platform)

    Netcraft has blocked access to all phishing sites mentioned in this article, and informed EA yesterday that their server has been compromised. However, the vulnerable server — and the phishing content — is still online at the time of publication.

    The Audited by Netcraft service provides a means of regularly testing internet infrastructure for old and vulnerable software, faulty configurations, weak encryption and other issues which would fail to meet the PCI DSS standard. These automated scans can be run as frequently as every day, and can be augmented by Netcraft's Web Application Security Testing service, which provides a much deeper manual analysis of a web application by an experienced security professional.

    Posted by Paul Mutton on 19th March, 2014 in Security

  5. Most Reliable Hosting Company Sites in February 2014

    Rank Performance Graph OS Outage
    hh:mm:ss
    Failed
    Req%
    DNS Connect First
    byte
    Total
    1 Qube Managed Services Linux 0:00:00 0.000 0.100 0.039 0.081 0.081
    2 ServerStack Linux 0:00:00 0.008 0.087 0.076 0.150 0.150
    3 Hosting 4 Less Linux 0:00:00 0.017 0.174 0.125 0.248 0.634
    4 Datapipe FreeBSD 0:00:00 0.021 0.077 0.018 0.037 0.055
    5 XILO Communications Ltd. Linux 0:00:00 0.021 0.199 0.069 0.166 0.261
    6 www.dinahosting.com Linux 0:00:00 0.021 0.233 0.087 0.175 0.175
    7 Server Intellect Windows Server 2012 0:00:00 0.021 0.075 0.101 0.638 0.998
    8 Pair Networks FreeBSD 0:00:00 0.025 0.226 0.085 0.170 0.562
    9 iWeb Linux 0:00:00 0.033 0.155 0.090 0.177 0.177
    10 Anexia Linux 0:00:00 0.050 0.131 0.103 0.453 0.746

    See full table

    London-based Qube Managed Services had February's most reliable hosting company site, www.qubenet.co.uk, which successfully responded to all requests sent. This is the second time in six months Qube has had no failed requests, having also achieved it back in September. Qube's reliability is perhaps due to the routing infrastructure it has in place at its data centres in London, New York and Zurich. Qube's carriers include Level 3 Communications and Zayo (formerly AboveNet), both of which are known for their extensive network coverage across Europe and America.

    In second place is ServerStack with two failed requests. ServerStack has maintained a 100% uptime record over the past year and offers a 100% uptime service-level agreement from its data centres in Amsterdam, New Jersey and San Jose. ServerStack uses the nginx web server to serve its website and also some of world's busiest websites, including a site which serves 150 million pageviews per day.

    In third place with four failed requests is Hosting 4 Less. Hosting 4 Less has a 99.9% uptime guarantee and has been providing web hosting services for over 15 years. It owns and operates a Californian data centre facility which is privately peered via multiple gigabit connections to the Internet backbone.

    FreeBSD powered the sites for both Datapipe (lowest connection time within the top 10) and Pair Networks. Windows Server 2012 powered Server Intellect and the remaining seven sites ran Linux, including first place Qube.

    Netcraft measures and makes available the response times of around forty leading hosting providers' sites. The performance measurements are made at fifteen minute intervals from separate points around the internet, and averages are calculated over the immediately preceding 24 hour period.

    From a customer's point of view, the percentage of failed requests is more pertinent than outages on hosting companies' own sites, as this gives a pointer to reliability of routing, and this is why we choose to rank our table by fewest failed requests, rather than shortest periods of outage. In the event the number of failed requests are equal then sites are ranked by average connection times.

    Information on the measurement process and current measurements is available.

    Posted by Netcraft on 4th March, 2014 in Hosting, Performance

  6. March 2014 Web Server Survey

    In the March 2014 survey we received responses from 919,533,715 sites — around half a million fewer than last month.

    Apache has gained some breathing space this month. Nearly a year of strong market share growth by Microsoft eventually culminated in the gap between Apache and Microsoft being reduced to only 5.4 percentage points. After the gap dropped to its lowest point last month, Microsoft had looked set to usurp Apache as the most common web server within a matter of months. This month's survey saw Microsoft lose 15.8 million sites and Apache gain 3.2 million, however. Apache's market share increased to 38.6%, 7.5 percentage points ahead of Microsoft and bucking the recent trend.

    Most of Microsoft's losses this month were seen at Nobis Technology Group, where more than 30 million link-farming sites stopped operating. Nobis is a private holding company, which owns the DarkStar voice communications network and Ubiquity Hosting Solutions, which has seven data centres across the United States.

    nginx gained 5 million sites this month, increasing its market share to 15.6%. The latest mainline version of nginx (1.5.10) now supports SPDY 3.1, which extends the flow control features of SPDY 3.0 by allowing different sessions within a single connection to send data at different rates. It is no surprise that SPDY 3.1 is already supported in the Google Chrome web browser; SPDY was primarily developed by Google, and is one of their trademarks. SPDY 3.1 has also been supported in Mozilla Firefox since 4th February 2014.

    Content delivery network CloudFlare — which uses its own web server software based on nginx — rolled out SPDY 3.1 support for all of its customers in February. Since last month, Netcraft's SSL Survey has identified a four-fold increase in the number of HTTPS websites supporting SPDY 3.1, most of which are hosted by CloudFlare. A smaller number of these SPDY 3.1 sites are hosted by the owner of the WordPress.com blogging platform, Automattic, which was one of the sponsors of the ngx_http_spdy_module.

    Mozilla has been planning to remove SPDY 2 support from Firefox since September 2013, and this looks set to happen with the release of Firefox 28. Some developers asked for SPDY 2 support to be retained, arguing that dropping support for SPDY 2 would effectively drop SPDY support in many SPDY-enabled websites. However, nginx and CloudFlare now supporting SPDY 3.1 allays some of that concern.

    LibreOffice — the free open source office suite bundled with Ubuntu Linux — moved its website from an Apache web server to nginx at the end of January, apparently for performance reasons. Incidentally, this further distances LibreOffice from the Apache Software Foundation - LibreOffice was forked from OpenOffice.org in 2010, before the latter was given to the ASF where development continued under the name of Apache OpenOffice.

    More than 30 new generic top-level domains (gTLDs) were delegated to the Root Zone during February, making them officially part of the internet. There are now 471 top level domains in total. The new ones added in February included .flights, .wiki, .xyz, .fish and .移动 (xn--6frz82g – Chinese for "mobile").

    Many of these new gTLDs were applied for by Donuts Inc, a US domain registry which was founded in 2011. The company's CEO and co-founder, Paul Stahura, previously founded domain name registrar eNom in 1997. Donuts raised more than $100,000,000 in its Series A financing round and applied to ICANN for more than 300 TLDs in 2012. As a registry, Donuts does not sell domain names directly to the public; instead, customers must purchase them from one of its accredited registrars.





    DeveloperFebruary 2014PercentMarch 2014PercentChange
    Apache351,700,57238.22%354,956,66038.60%0.38
    Microsoft301,781,99732.80%286,014,56631.10%-1.69
    nginx138,056,44415.00%143,095,18115.56%0.56
    Google21,129,5092.30%20,960,4222.28%-0.02
    (more...)

    Posted by Netcraft on 3rd March, 2014 in Web Server Survey

Page 2 of 18612345102030...Last »