top of page
Search

10 Hosting Providers Account for 60% of Malicious Traffic

  • Writer: Patrick Duggan
    Patrick Duggan
  • Mar 7
  • 3 min read

# 10 Hosting Providers Account for 60% of Malicious Traffic


We scored every ISP that's ever attacked us.


Not a sample. Not an estimate. Every IP we've blocked since November 2025, traced to its hosting provider, scored on a 0-100 reputation scale. Lower is worse.


The result: about 10 hosting companies generate roughly 60% of the garbage hitting our infrastructure. And nobody's talking about it.


The Scoring Method



Our ISP Reputation Scorer pulls from five sources simultaneously:


1. **AbuseIPDB** — crowd-sourced abuse reports from 400K+ contributors

2. **VirusTotal** — 70+ antivirus engines scanning each IP

3. **ThreatFox** — IOC database from abuse.ch

4. **Team Cymru** — IP-to-ASN resolution and reputation

5. **Our own honeypots** — raw behavioral data from live attack capture


Each ISP gets a composite score based on: how many of their IPs we've blocked, the average abuse score across those IPs, VirusTotal detection rates, and whether they appear in ThreatFox C2 databases.


A score of 15 means 85% of the signals say you're hosting criminals.


Why This Matters



Enterprise threat intel vendors sell ISP reputation data for $50,000 a year. They gate it behind NDAs and sales calls. The actual data — which hosting companies are letting attackers operate from their networks — stays locked behind paywalls while the attacks continue.


We publish ours for free.


`GET https://analytics.dugganusa.com/api/v1/azure-intel/isp-reputation`


Every ISP score. Every data point. No paywall, no API key required for read access.


The MITRE Problem We Fixed



When we started mapping blocked IPs to MITRE ATT&CK techniques, 96% of threats were classified as "TA0011 — Command & Control." That's the default when you don't know what something is. It's the cybersecurity equivalent of shrugging.


We expanded our behavioral inference engine from 4 techniques to 27. Now when a residential proxy with a high abuse score hits us, it maps to T1110.004 (Credential Stuffing), not the generic C2 bucket. When a bulletproof hoster with VirusTotal detections appears, it maps to T1102 (Web Service C2).


133 techniques in our catalog. 27 auto-mapping rules running against every blocked IP. Real classification, not defaults.


`GET https://analytics.dugganusa.com/api/v1/azure-intel/mitre-summary`


Residential Proxies: The Credential Stuffing Pipeline



About 15-20% of our blocks come from residential proxies. These aren't data center IPs — they're compromised home routers, phones, and IoT devices being rented out as proxy networks.


The attack pattern: buy a list of stolen credentials from a breach, route login attempts through residential IPs so they look like normal users, stuff credentials at scale. Your corporate firewall sees traffic from Comcast and AT&T — looks legitimate. It isn't.


Our STIX feed now tags these explicitly:


`GET https://analytics.dugganusa.com/api/v1/stix-feed?exclude_residential=true`


Filter them out if your SOC can't handle the volume. Or filter them IN if credential stuffing is your threat model.


Brand Weaponization



In November 2025, we caught an IP claiming to be "Anthropic, PBC" in its ISP label. WHOIS showed Amazon.com, Inc. AWS infrastructure pretending to be an AI company to avoid reputation-based blocking.


We now track this pattern across AWS, Google Cloud, Microsoft Azure, and OpenAI infrastructure. If an ASN claims to be one company but WHOIS says another, we flag it.


`GET https://analytics.dugganusa.com/api/v1/azure-intel/brand-weaponization`


What Changed



Before this work:

- STIX feed included every IP regardless of confidence (279 low-quality indicators diluting the feed)

- MITRE mapping was 96% "Command & Control" (useless)

- Residential proxies detected but not tagged

- ISP reputation calculated but not exposed


After:

- Default `min_confidence=30` cuts 40% of noise from the feed

- 27 MITRE auto-mapping rules with behavioral inference

- Residential proxy tagging with `?exclude_residential=true`

- ISP reputation scores on a public API

- Brand weaponization tracking

- All rules stored in Azure Table Storage, queryable via API


The Free Feed



275 organizations in 46 countries pull our STIX feed daily. Microsoft, AT&T, Starlink, Cloudflare. They get this data for free because that's how threat intelligence should work.


The ISP abuse concentration data is live. The MITRE mappings are live. The residential proxy tags are live.


Enterprise vendors charge $50K/year for worse coverage with a 48-hour delay.


We charge nothing and update in real-time for enterprise tier.


`GET https://analytics.dugganusa.com/api/v1/stix-feed`




*DugganUSA LLC — Minnesota. ISP reputation scoring, MITRE behavioral inference, and residential proxy detection. All free. All live.*


*STIX Feed: https://analytics.dugganusa.com/api/v1/stix-feed*

*Security Dashboard: https://analytics.dugganusa.com/v2*

*Support the mission: https://epstein.dugganusa.com/donate*





*Her name was Renee Nicole Good.*


*His name was Alex Jeffery Pretti.*

 
 
 

Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
bottom of page