Faster Actions Needed Against Phishing Domains

Criminals often register their own domain name to perform phishing attacks. Unlike the other common phishing site scenarios (including hacked servers, open redirects, and abuse of free webhosting), phishing sites that have their own domain name can be harder to remove, because the website owner and domain owner is the fraudster. Only the hosting and DNS providers and the domain registrar are able to take the site down and also likely to cooperate.

The operation of top-level domains is generally split between a registry, which operates the infrastructure that answers DNS queries, and registrars, which sell domain names and provide the process for owners to maintain their records. Registries generally are not directly involved in removing phishing domains, and refer those to the registrar through which the domain was registered.

However, it is relatively easy to become a registrar, so large numbers of hosting companies, web design firms and domain name resellers are able to handle registrations. Registrars may not all respond quickly to abuse complaints. And in unusual cases registrars themselves may be involved in illegal activity.

There is a particular problem with so-called fast flux phishing attacks. Here the attacker uses a large pool of compromised hosts — often personal computers on DSL connections — and from these randomly chooses a number to act as web servers to host the phish (and also some to act as DNS servers for the phishing domain). The set of hosts used to support the phishing site is changed regularly, so efforts to contact the owner of one hacked system would at best cause the phishing site to be temporarily unavailable. ICANN (which hands out the contracts to operate generic top level domains including .com) published a report earlier this year looking at whether it should intervene to encourage adoption of more effective policies by registrars to prevent the abuse of fast-flux setups; but it seems reluctant to compel registrars to stop a practice that may also have some legitimate uses.

The one common point for any phishing attack is the URL sent to victims. In the case of fast-flux attacks, the owner of the domain will not cooperate and there are too many hacked systems hosting the phish for contacting the hosting provider to be effective. The only place where the attack can be quickly stopped is for the registrar or registry to suspend its domain name.

Continue reading

June 2009 Web Server Survey

In the June 2009 survey we received responses from 238,027,855 sites, an increase of 2,137,329 on last month. A reduction in activity at Microsoft Live Spaces was responsible for the large drop in the number of Microsoft-IIS sites detected. Apache retains the dominant market share of 47.12%, approximately 112.2 million sites in total, and saw a modest increase in market share of 0.63 percentage points this month.

Meanwhile, Google has increased its market share by 1.3 percentage points to nearly 12 million sites, due mainly to increased activity on Blogger.

nginx continues to grow strongly, increasing its market share by 1 percentage point. It gains around 2.5 million sites this month, mostly due to more activity seen by the survey on blogging provider NetEase. nginx is also used by, where Netcraft saw 180,000 more active blogs this month.

Total Sites Across All Domains August 1995 - June 2009

Total Sites Across All Domains, August 1995 - June 2009

Graph of market share for top servers across all domains, August 1995 - June 2009

Top Developers
DeveloperMay 2009PercentJune 2009PercentChange

Continue reading

Most Reliable Hosting Company Sites in May 2009

Rank Company site OS Outage
DNS Connect First
1 New York Internet FreeBSD    0.000  0.266 0.042 0.086 0.180
2 pair Networks FreeBSD    0.000  0.319 0.055 0.113 0.248
3 INetU unknown    0.000  0.768 0.063 0.133 0.264
4 Swishmail FreeBSD  0:00:00  0.005  1.101 0.040 0.081 0.208
5 Verio Linux  0:00:00  0.005  2.233 0.068 0.137 0.137
6 Virtual Internet Windows Server 2003  0:00:00  0.005  0.715 0.092 0.342 0.688
7 Server Intellect Windows Server 2003  0:00:00  0.010  0.929 0.039 0.079 0.184
8 unknown  0:00:00  0.010  1.310 0.044 0.096 0.140
9 Kattare Internet Services Linux  0:00:00  0.010  0.371 0.090 0.182 0.480
10 Linux  0:00:00  0.014  3.799 0.066 0.136 0.327

See full table

New York Internet, pair Networks and INetU had the most reliable hosting company sites in May 2009. Each of these sites responded resiliently to Netcraft's performance collectors throughout the month, with not a single failed request.

This is New York Internet's second consecutive appearance at the top. Established in 1996, the company's core services now include dedicated servers, colocation and virtual web hosting - all backed with a 99.999% uptime guarantee.

pair Networks also started off in 1996, with a $10,000 family loan funding a single employee and a partial T-1 line. The company has since grown to offer dedicated servers, virtual private servers and high volume hosting from its own datacentres in Pennsylvania, which use GigE connections to five diverse backbone networks.

INetU is an enterprise managed hosting company, also located in Pennsylvania. They stand by their network performance by offering a 100% uptime service level agreement. Managed services provided by INetU include MySQL and MS SQL database clusters, Exchange servers, virtualization and firewalls. Their clients include Fortune 500 companies such as Microsoft, Intel and Northrop Grumman.

Among May's top ten hosting company sites, three companies (including New York Internet and pair Networks) run their sites on FreeBSD. Three other companies run their sites on Linux, while the remaining two identifiable operating systems are Windows Server 2003.

Continue reading

F5 BIG-IP Hosts 10 Million Sites

More than 10 million websites were found running F5 BIG-IP devices, in our most recent Web Server Survey. F5's BIG-IP product family uses the TMOS platform to provide a modular approach to traffic management, and several distinct modules are available for tasks such as load balancing, SSL acceleration and fast caching.


4.26% of all websites and around 3.8% of the top million sites are now served by F5 BIG-IP devices. Facebook, Bank of America and Adobe are among the sites with the largest amount of traffic using F5 BIG-IP.

F5 BIG-IP is particularly prominent in the United Kingdom, where it is used to serve 13.8% of all websites in the country; however, it is only found on 0.42% of the web-facing computers in the UK. This exemplifies a common BIG-IP deployment, where a large number of websites can be hosted by a relatively small number of frontend devices.

May 2009 Web Server Survey

In the May 2009 survey we received responses from 235,890,526 sites, an increase of 4.3 million on last month. Apache remains firmly in the lead, having gained 3.3 million sites, and Microsoft-IIS remains second, having lost almost 0.9 million (mostly due to less activity seen at accounts on Microsoft's own Live Spaces service)., the popular IM service in China, remains third with 29M sites. Google takes fourth place, after gaining approximately 1.5 million sites, and remains ahead of nginx which gained 200,000.
Global Distribution of nginx Sites
The Russian nginx web server web server nginx has been steadily increasing in popularity for several years. The chart below shows the geographical distribution of sites using nginx and in particular illustrates that China now has the most nginx sites, with almost 2.5 million and that the US is close behind with almost 2.4 million. nginx was written by Igor Sysoev and is well known for its rich feature set and low resource consumption.
Total Sites Across All Domains August 1995 - May 2009
Total Sites Across All Domains, August 1995 - May 2009 Graph of market share for top servers across all domains, August 1995 - May 2009
Top Developers
Developer April 2009 Percent May 2009 Percent Change
Apache 106,368,727 45.95% 109,672,897 46.49% 0.55
Microsoft 67,767,928 29.27% 66,871,466 28.35% -0.92 28,905,133 12.49% 28,905,135 12.25% -0.23
Google 7,229,033 3.12% 8,678,011 3.68% 0.56
nginx 6,100,424 2.64% 6,342,250 2.69% 0.05
Continue reading

Most IIS Sites Unlikely to be Affected by WebDAV Vulnerability

The most recent Netcraft Web Server Survey found more than 62 million websites running Microsoft IIS 6.0, but many of these are unlikely to be affected by the latest WebDAV remote authentication bypass vulnerability.

A new WebDAV vulnerability was published by Nikolaos Rangos on Friday, and details how attackers can bypass access restrictions using a flaw in the WebDAV functionality on IIS 6.0. By failing to handle Unicode tokens properly, the bug gives attackers access to password protected folders and, in some cases, the ability to upload files to the affected web servers.

Although IIS 6.0 accounts for more than 90% of the Microsoft sites on the Internet, the total number of vulnerable sites is likely to be substantially less than 62 million because WebDAV is not a default component of IIS 6.0 when a Windows Server 2003 machine is given the role of Application Server. Nonetheless, some people may install and enable WebDAV to provide a convenient means of publishing and managing web server content through firewalls – because WebDAV is an extension to the HTTP protocol, it can operate over the same port number as HTTP.

Microsoft issued a security advisory on Monday, which also lists IIS 5.0 as vulnerable. This issue may affect a much larger proportion of the 2.8 million IIS 5.0 websites as, unlike its successor, Windows 2000 Server automatically installs WebDAV alongside IIS 5.0.