Russian Business Network Penguins

As those who visit our home page may have noticed we have a section where we note the countries with the worst IP reputation. We divide it up between big countries and small ones and determine the relative badness by calculating the proportion of the country's reported IP addresses that are bad.

Ukraine has been consistently the number one large country ever since we started analyzing it with about 5% or 1 in 20 ip addresses bad.  However the number one small country tends to vary considerably - we've had Haiti, at least one of the pacific island nations and just recently we've got the almost totally unpopulated continent of Antarctica.

Naughty Penguins

This caused a certain amount of amusement inside and outside the company (thanks Paul C for the image) and I thought it might be interesting to find out what exactly the Penguins have been doing and how much.

Well it turns out to be fairly straight forward (although there is a slight bug in our calculation scheme as I had not anticipated country ip blocks of less than a /24). According to our Maxmind GeoIP database there are 4857 ip addresses in Antarctica in various dribs and drabs of mostly AS34109 but also a couple of other ASes. Unfortunately AS34109 appears to be heavily infested with the Russian Business Network and four /24s that happen to include the Antarctic addresses plus two other unique IP addresses that Maxmind puts in Antactica are a part of the RBN. 1026/4857 gets you 21% which is indeed by far the highest ratio of bad ip addresses to total ip addresses in our list.

So are the penguins really a part of the RBN? Almost certainly not. Neither are the penguin researchers or any of the other inhabitants of Antactica. Almost certainly the addresses inside AS34109 that used to be used for Antarctic research stations have now been reassigned to something else (AS34109 is the Dutch ISP CB3ROB, which appears to have nothing to do with Antarctica).

For those that may be interested, the 4 'Antarctic' /24s that are in the RBN are 84.22.98.0/24, 84.22.112.0/24, 84.22.122.0/24, 84.22.125.0/24 and the two Individual nodes are 84.22.106.30 and 84.22.106.50.

Share this: