Volume Says AWS Is the Worst Host Alive. Abuse-Per-IP Says It's a 6-Month-Old Paris /24 Called BUCKLOG.

If you rank the autonomous systems in our blocklist by raw count, the worst actor on the internet appears to be Amazon. AWS (AS16509) sits at the top with 1,876 blocked events, ahead of Tencent, Google, Microsoft, Alibaba, DigitalOcean, and Meta. Case closed, right? Amazon is the problem.

That conclusion is wrong, and the reason it's wrong is the whole point of this post. Counting raw abuse events rewards bigness. AWS announces something on the order of 120 million IPv4 addresses. Of course it shows up — attackers rent it by the millions, abuse a handful, get reported, and AWS's abuse desk shuts them down. The volume is real but the signal is garbage. A host with a hundred million addresses will always look guilty if you only count.

So we divided by size. For every ASN in our block data we pulled its announced IPv4 footprint and computed abuse density — blocked events per IP. The instant you do that, the hyperscalers evaporate and the actual assholes light up like a switchboard.

The leaderboard nobody wanted to be on

Measured in blocked events per thousand announced IPs, here is the real ranking, worst first.

BUCKLOG, AS211590, registered to Bucklog SARL / FBW Networks SAS in Vélizy-Villacoublay, France: roughly 3,285 blocks per thousand IPs. That is not a typo. With only about 512 addresses to its name it generated 1,682 blocked events — the number two slot on our entire raw list, sitting right behind all of Amazon, on a footprint a quarter-million times smaller. Per IP, BUCKLOG is about 420,000 times denser with abuse than AWS.

Church of Cyberology, AS215125, Netherlands: about 55 per thousand. Yes, a "church." It lists itself on PeeringDB as Educational, Research, and Non-Profit, which is the kind of cover story that tells you everything.

STORMINDUSTRIES "Offshore LC", AS214472: about 47 per thousand. The marketing for this class of host sells the quiet part out loud — offshore, no KYC, zero data collection, DDoS protection included. Those aren't features for legitimate businesses. They're features for people who do not want to be found.

DMZHOST, AS48090, fronted by TECHOFF SRV LIMITED: about 29 per thousand — and this one is a known quantity. DMZHOST is named in Wikipedia's bulletproof-hosting article, in Spamhaus's anatomy of bulletproof hosting, in Intel 471's research, and in a ThreatFox ASN report. It advertises servers "outside the reach of Western law enforcement," and Team Cymru documented how the virtual-office address behind it manufactures a facade of legitimacy. DDoS-for-hire infrastructure was traced to it as far back as 2017.

Then the long tail: Driftnet Ltd (AS211298), Advin Services (AS22295), ColocaTel (AS213438, registered in the Seychelles in February 2025), Omegatech, and 1337 Services GmbH (AS210558, Hamburg) — the last of which lands lower on density because it's bigger, but URLhaus, ThreatFox, and CleanTalk have all logged malware and spam coming out of it. A registered German GmbH with a leet-speak name and a malware-URL feed attached to it.

Every one of the hyperscalers, by contrast, scored at or near zero per thousand. AWS, Microsoft, Google, Alibaba, Huawei, Tencent, DigitalOcean, Meta — all effectively 0.00. They are not bulletproof hosts. They are legitimate infrastructure that attackers rent and that responds when you report abuse. Volume made them look like villains; density exonerates them.

The standout deserves its own paragraph

BUCKLOG isn't just a number on our chart — GreyNoise did the deep forensic work on it and we're standing on their shoulders here. Their researchers documented AS211590 as a purpose-built, Kubernetes-orchestrated scanning fleet operating out of a single Paris range, generating on the order of 13 million sessions across 90 days, and in one tracked week throwing more than 33,000 HTTP requests at webhook endpoints — hunting file-upload paths, document-processing endpoints, and n8n workflow-automation instances via CVE-2026-21858. That is not a hosting company that happens to have a few bad tenants. The abuse is the product. The entire ASN is the weapon.

What our data adds is independent corroboration from a completely different vantage point. We never read GreyNoise's telemetry; we read our own blocklist. And BUCKLOG floated to the number two raw slot and the number one density slot on its own. When two sensors that share no data agree, your confidence goes up. Defend the door, not the actor — but it helps to know which doors the same small set of landlords keep opening.

Why density is the lever

This is a method you can run anywhere, and you should. Raw abuse counts are a popularity contest that bigness always wins, which is why "AWS is the top source of attacks" is a headline that gets written every year and means nothing. Normalize by announced footprint and the picture inverts: the hyperscalers fall to the floor and a cluster of tiny, recently-allocated, often-offshore ASNs — a French /24, a Dutch "church," a Seychelles shell, a leet-named GmbH — account for abuse rates hundreds to hundreds-of-thousands of times higher per address.

Those are the networks worth blocking wholesale, because unlike AWS there is no legitimate tenant to collateral-damage and no abuse desk that will ever answer. A 6-month-old ASN with one /24 and an abuse density five orders of magnitude above Amazon is not a hosting business having a bad week. It is the business.

We're capping our confidence at 95 percent, as always — abuse density is sparsely populated in any one sensor's data, our footprint figures are point-in-time from public routing tables, and a couple of these networks will turn out to be merely negligent rather than complicit. But the shape is not subtle. The biggest assholes on the internet do not rent from Amazon. They rent a /24 in Paris, and they named it after themselves.

Primary research credit: GreyNoise Labs (BUCKLOG / AS211590 Kubernetes scanning fleet), Spamhaus, Intel 471, and Team Cymru (DMZHOST / bulletproof-hosting tradecraft), and abuse.ch's URLhaus and ThreatFox (per-ASN malware and IOC feeds). We brought the blocklist and the calculator.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register