SlideShare a Scribd company logo

Stateoftheweb q4-2009

O
onlyone0001
1 of 49
Download to read offline
State  of  the  Web  -­‐  Q4  2009 A  View  of  the  Web  From  an  End  User’s  Perspec:ve Zscaler  Labs Abstract Attackers  are  no  longer  targeting  web  and  email  servers.  Today,  they  are  attacking   enterprises  from  the  inside  out,  by  <irst  compromising  end  user  systems  and  then   leveraging  them  to  gain  access  to  con<idential  data.  As  such  it  is  imperative  that   organizations  have  an  understanding  of  what  is  happening  on  the  web.  As  a   Security-­‐as-­‐a-­‐Service  vendor,  Zscaler  has  a  unique  perspective  on  web  traf<ic.  With   millions  of  end  users  traversing  the  web  through  Zscaler’s  global  network  of  web   gateways,  we  are  able  to  better  understand  both  how  users  are  interacting  with   web  based  resources  and  how  attackers  may  be  targeting  end  users.  In  this,  our   <irst  quarterly  ‘State  of  the  Web’  report,  we  provide  a  window  into  the  web  from  an   end  user’s  perspective.
Table  of  Contents Overview  .....................................................................................................................................3 Web  Traf/ic  Statistics  ..............................................................................................................3 Web  Server  Statistics  .......................................................................................................................3 TLDs  by  Unique  Domain  Visited  ...............................................................................................................4 TLDs  by  Total  Transactions   .........................................................................................................................6 Transaction  to  Domain  Ratio  .....................................................................................................................6 Top  Domains  Visited  ......................................................................................................................................8 CIDR  Block  Distribution  ...............................................................................................................................9 ASN  Distribution  ...........................................................................................................................................11 Geography   ........................................................................................................................................................12 File  Types  .........................................................................................................................................................15 Request  Method  ............................................................................................................................................15 Response  Code  ...............................................................................................................................................16 Web  Browser  Statistics   ..................................................................................................................17 Browser  Version   ............................................................................................................................................17 User  Statistics  ..................................................................................................................................19 URL  Categorization  ......................................................................................................................................19 Search  Engines  ...............................................................................................................................................19 Social  networking  .........................................................................................................................................20 File  Sharing  ......................................................................................................................................................20 Government  ....................................................................................................................................................21 Retail  ..................................................................................................................................................................21 Security  Statistics  ..................................................................................................................22 Threats  ...............................................................................................................................................22 Malware  By  IP  Address  ..............................................................................................................................22 Malware  by  Country  ....................................................................................................................................22 Phishing  ............................................................................................................................................................23 Malicious  Domains  .......................................................................................................................................24 Anonymizers  ...................................................................................................................................................25 Botnets  ..............................................................................................................................................................25 Traf/ic  ..................................................................................................................................................26 Bogon  IP  space  ...............................................................................................................................................26 Conclusion  ................................................................................................................................28 Appendix  ..................................................................................................................................29 TLD  Breakdown  ..............................................................................................................................29 Monthly  Summary  –  Top  TLDs  Visited  ................................................................................................29 Monthly  Summary  -­‐  Unique  Domains  Per  TLD  ................................................................................30 Categorization  Breakdown  ..........................................................................................................31 .COM  Breakdown  by  Category  ................................................................................................................31 .NET  Breakdown  by  Category  .................................................................................................................34 .ORG  Breakdown  by  Category  .................................................................................................................37 .INFO  Breakdown  by  Category  ................................................................................................................40 Top  Search  Queries  .........................................................................................................................49
Overview Our  goal  in  producing  this  report  is  to  better  understand  traf<ic  on  the  web  today.   Security  and  IT  teams  across  organizations  are  tasked  with  managing  the  traf<ic  of   end  users  on  their  networks.  That  can  involve  restricting  access  for  various  business   purposes  and  protecting  end  users  from  external  threats.  This  is  a  tall  order  given   the  increasing  ease  of  access  to  web  based  services  that  often  permit  users  to  bypass   traditional  controls  -­‐  whether  accessing  corporate  resources  from  personal  devices   such  as  smart  phones  or  setting  up  applications  by  leveraging  cloud  based   resources. Zscaler  is  in  a  unique  position  to  observe  trends  in  web  traf<ic.  As  a  Security-­‐as-­‐a-­‐ Services  vendor,  Zscaler’s  network  of  web  gateways  continually  inspects  traf<ic  for   millions  of  end  users  around  the  globe.   There  are  a  number  of  great  reports  available  today  from  a  variety  of  organizations   to  help  us  better  understand  web  traf<ic.  However,  the  majority  of  such  reports  tend   to  focus  on  the  server  side  of  the  equation.  They  tend  to  look  at  the  technology  that   has  been  deployed  to  deliver  web  content  and  associated  security  issues  in  web   applications.  We  feel  that  there  is  a  need  to  better  understand  the  client  side  of  the   equation  -­‐  what  are  end  users  doing  on  the  web  and  how  are  attackers  targeting   them?  The  latter  part  of  this  question  is  especially  important  as  attackers  have   clearly  shifted  away  from  attacking  web  and  email  servers  to  targeting  end  users.   They  understand  that  end  user  systems  tend  to  represent  the  weakest  link  in  the   security  chain  and  they  are  exploiting  that  weakness  with  increasing  ef<iciency.  We   can  better  defend  against  such  attacks  by  better  understanding  exactly  what  is   occurring  on  the  web  and  it  is  our  hope  that  this  report  will  help  to  shed  some  light   on  that  very  topic. Web  Traffic  Sta0s0cs Web  Server  Sta0s0cs Zscaler  customers  visited  several  million  web  servers  during  the  4th  quarter  of   2009.  One  interesting  technique  for  visualizing  the  IP  addresses  of  the  web  servers   visited  is  through  a  heatmap.  The  below  graphic  was  generated  from  the   Measurement  Factory  software1  and  “uses  a  12th-­‐order  Hilbert  curve2  to  represent   the  entire  IPv4  address  space”.  In  the  graphic  below,  IP  addresses  visited  are   represented  by  white  pixels,  while  addresses  not  visited  are  displayed  as  black   pixels.  Non-­‐routable  or  reserved  space  is  identi<ied  in  gray  and  where  appropriate,   we  have  indicated  what  that  space  is  used  for.  It’s  a  fascinating  view  which  exposes   just  how  vast  the  Internet  truly  is.  Even  when  analyzing  traf<ic  from  millions  of  users   1 http://maps.measurement-factory.com/software/ipv4-heatmap.1.html 2A Hilbert Curve is a space filling curve that visits every point in a grid (in our case a 2^12 x 2^12 grid).
over  the  course  of  three  months,  it  can  be  seen  that  much  of  the  Internet  remains   untouched. Hilbert  Curve  -­‐  All  Q4  2009  traffic  by  IP  address TLDs  by  Unique  Domain  Visited .com,  .org,  and  .net  top-­‐level  domains  (TLDs)   consistently  made  up  the  bulk  of  the  unique   Other 10% domains  visited  each  month.  .com  traf<ic  made  up   org 80.11%  of  the  unique  domains  visited  during  the   4% net quarter.  .net  had  over  4.96%  and  .org  accounted  for   5% 4.45%.  The  chart  below  shows  the  next  10  largest   TLDs  that  make  up  about  80%  of  the  remaining   11%  of  the  unique  domains  visited  in  Q4  of  2009. com 80%
Top 10 TLDs By Unique Domain Per Month (Excluding .com/.net/.org) 0% 0.50% 1.00% 1.50% 2.00% 1.25% ru 1.1% 1.50% 1.04% uk 1.5% 1.22% 1.03% au 1.3% 1.30% 1.23% edu 1.3% 1.11% 0.74% de 1.0% 1.07% 0.59% info 0.6% 0.63% 0.63% us 0.6% 0.57% 0.56% fr 0.6% 0.49% 0.63% in 0.5% 0.47% 0.39% ca 0.5% 0.44% October November December There  were  a  number  of  similarities  with  a  few  <luctuations  within  the  top  10  TLDs   with  unique  domains  visited  from  month-­‐to-­‐month: • .ru  was  the  4th  most  popular  TLD  by  unique  domain  visited  in  October  and   December,  however  it  dropped  to  the  7th  spot  in  November. • .au,  .uk,  and  .edu  make  up  the  5-­‐7  spots,  with  the  exception  of  November   when  .uk  beat  out  .ru  for  the  4th  spot. The  chart  below  shows  the  breakdown  of  TLDs  based  on  total  number  of   transactions  as  opposed  to  unique  domains.  This  view  would  favor  those  TLDs   hosting  popular  sites  which  receive  higher  volumes  of  overall  traf<ic.
TLDs  by  Total  Transac0ons Top 10 TLDs By Transaction Per Month (Excluding .com/.net) 0% 0.50% 1.00% 1.50% 2.00% 1.57% org 1.54% 1.44% 0.66% au 0.97% 0.78% 0.62% in 0.38% 0.41% 0.36% tv 0.35% 0.55% 0.29% uk 0.44% 0.41% 0.16% de 0.23% 0.26% 0.22% gov 0.19% 0.25% 0.24% fr 0.21% 0.18% 0.21% edu 0.18% 0.20% 0.23% pe 0.22% 0.16% October November December Transac0on  to  Domain  Ra0o The  data  from  the  top  TLDs  by  unique  domain  and  top  TLDs  by  transaction  can  be   combined  to  <ind:   • The  TLDs  with  the  highest  ratio  of  transactions  to  domains  –  indicating  a   large  number  of  transactions  across  a  small  subset  of  domains.    In  other   words,  there  are  only  a  few  unique  domains  in  the  TLD  that  make  it  popular. • The  TLDs  with  the  lowest  ratio  of  transactions  to  domains  –  indicating  a   number  of  domains  among  which  the  transactions  are  spread  out.  In  other   words,  the  unique  domains  that  have  a  small  number  of  visits  or  transactions.  
October November December Rank TLD Ratio TLD Ratio TLD Ratio 1 nu 5063 nu 8083 net 3737 2 net 3617 net 3428 nu 2824 3 ly 2140 ly 1792 ly 1699 4 tv 1719 tv 1568 tv 1692 5 pe 1326 id 1267 fm 1307 6 fm 1140 pe 1159 lan 1260 7 in 803 lan 1153 pe 1228 8 com 726 fm 968 com 799 9 it 707 ir 807 in 765 10 id 677 com 702 im 713 11 aero 676 it 678 pf 701 12 hn 662 in 655 it 633 13 tr 655 th 622 gov 592 14 au 520 au 584 th 587 15 su 500 tr 531 vn 546 16 im 483 gr 515 au 517 17 gov 480 dk 503 ir 485 18 ke 422 local 471 za 463 19 ph 409 hn 398 hn 461 20 ec 400 gov 392 tr 436 21 int 391 mx 389 mx 417 22 co 355 ke 374 sg 382 23 fr 341 io 368 ke 380 24 th 330 co 331 va 372 25 mx 315 ec 325 ec 368 Well  utilized,  generic  TLDs  (gTLD),  such  as  .com,  will  have  a  high  ratio  because   domains  like  Google,  Facebook,  Amazon,  Yahoo,  Microsoft,  MySpace,  Twitter,  etc.   contain  a  large  number  of  the  transactions  to  that  TLD.  This  is  however  offset  to  a   certain  extent  because  there  are  also  a  large  number  of  popular  domains  on  these   gTLDs  and  these  unique  domains  will  lower  the  ratio  somewhat,  though  it  remains   relatively  high  overall.  For  example,  October  –  December  2009  saw  .com  ratios  of   726:1,  702:1,  and  799:1  respectively. It  is  interesting  to  further  analyze  domain  results  for  less  popular  TLDs  and  those   that  had  a  higher  ratio  than  the  gTLDs,  both  from  a  statistical  and  trending   perspective  as  well  as  from  a  security  perspective.  Miscreants  frequently  register   domains  with  TLDs  that  are  less  in  demand  because  they  are  cheaper,  and  in  some   cases  the  particular  domain  registry  (maintainer  of  the  TLD)  and/or  registrar   (maintainer  of  the  domain  record)  will  have  poor  abuse  handling  procedures.   Additionally,  the  registry  and/or  registrar  may  either  be  complicit  in  the  illegal   activity  or  be  in  a  jurisdiction/country  with  a  legal  system  that  protects  the  domain   from  being  de-­‐registered  or  having  the  registration  information  shared  with  law   enforcement.  TLDs  with  a  high-­‐ratio  of  transactions  per  unique  domain  per  TLD  
have  one  or  more  domains  with  a  large  number  of  transactions.  It  is  interesting  to   sift  through  the  records  to  explain  the  high-­‐ratio  TLDs.  They  may  be  the  result  of  a   malicious  command  and  control  (C&C)  or  information  drop  server  that  has  a  large   number  of  transactions  beaconing  to  the  domain’s  server,  or  it  could  be  something   benign,  such  as  a  popular  social  networking  site  in  a  particular  country. One  such  example  of  a  benign  domain  within  a  TLD  that  bubbled  to  the  top  was  .ly.     This  domain  had  a  ratio  of  2140:1,  1792:1,  and  1699:1  in  the  October  –  December   timeframe.  These  ratios  were  more  than  double  the  ratios  that  .com  had  during   these  months.  This  high  ratio  is  explained  by  this  TLD  being  relatively  unpopular  as   far  as  unique  domains  go,  but  having  a  large  number  of  transactions  to  a  popular   domain  -­‐  namely  bit.ly,  a  popular  URL  shortening  service. The  .nu  TLD  had  even  higher  ratios  of  5063:1,  8083:1,  and  2824:1  in  Q4  2009.   The  .nu  TLD  is  assigned  to  the  island  state  of  Niue,  and  Wikipedia  states  that  the  TLD   “is  particularly  popular  in  Sweden,  Denmark,  the  Netherlands  and  Belgium,  as  nu  is   the  word  for  ‘now’  in  Swedish,  Danish,  and  Dutch.”  While  the  domain  may  be  popular   for  these  countries,  our  ratio  shows  that  a  relatively  small  number  of  domains  are   dominating  the  transactions  for  this  TLD. Running  a  query  against  the  Zscaler  NanoLogs  for  the  .nu  domains  and  count  of   transactions,  yielded  a  large  percentage  of  the  transactions  to  the  domain:   cvnxus.mine.nu.  The  transactions  to  the  domain  appear  as:   hxxp://  cvnxus.mine.nu:53/30080000 Further  analysis  revealed  that  there  were  several  bot  infected  hosts  that  were   beaconing  TCP  ACK  packets  to  this  host.    Zscaler  has  since  noti<ied  and  assisted   impacted  customers.  A  separate  white  paper  detailing  this  analysis  will  be  released. Top  Domains  Visited Many  of  the  most  visited  domains  are  actually  those  that  operate  behind  the  scenes.   liveperson.net  for  example  is  a  real-­‐time  support  tool  used  by  a  variety  of  large   online  retail  and  services  companies  such  as  Bank  of  America,  AT&T  and  IBM3.  As   such,  when  receiving  email  and  chat  based  customer  support  at  such  companies   certain  traf<ic  is  actually  redirected  to  the  liverperson.net  domain.  Top  domains  are   calculated  based  on  the  total  number  of  transactions.  As  such,  sites  delivering   images,  streaming  content  or  requiring  frequent  communication  of  some  form  tend   to  score  higher.  Advertising  based  traf<ic  was  very  prevalent  with  ad  management   platforms  such  as  doubleclick.net  and  yieldmanager.com,  both  landing  in  the  top  10.   Google,  Yahoo!  and  Facebook  all  ranked  high,  as  did  domains  owned  and  managed   by  them.  <bcdn.net  and  yimg.com  serve  up  Facebook  and  Yahoo!  content   respectively.  google-­‐analytics.com,  a  Google  tool  for  tracking  site  visitors  receives   signi<icant  traf<ic  due  to  the  fact  that  links  to  the  domain  are  posted  on  numerous   third  party  sites. 3 http://solutions.liveperson.com/company/customers/
Top 10 Domains Visited By Month Q4 2009 0% 7.50% 15.00% 22.50% 30.00% liveperson.net google.com doubleclick.net fbcdn.net yahoo.com yimg.com facebook.com google-analytics.com yieldmanager.com login.icq.com October November December CIDR  Block  Distribu0on CIDR  notation  is  a  way  of  writing  a  block  of  IP  addresses,  where  the  suf<ix  number  is   the  number  of  bits  to  include  from  the  IP  for  the  block4 .  For  example: • 192.168.1.0/24  is  the  IP  block:  192.168.1.0-­‐192.168.1.255 • 192.168.0.0/16  is  the  IP  block:  192.168.0.0-­‐192.168.255.255 • 192.0.0.0/8  is  the  IP  block:  192.0.0.0-­‐192.255.255.255 The  chart  below  shows  the  top  25  most  popular,  highly  utilized  IP  blocks  based  on   Zscaler  customer  traf<ic.  These  results  are  displayed  in  three  ways:  (1)  a  narrow,  /24   IP  block,  viewpoint,  (2)  a  middle,  /16  IP  block,  viewpoint,  and  (3)  a  broader,  /8  IP   block,  viewpoint. The  narrow,  /24  IP  block,  viewpoint  is  largely  comprised  of  popular  end-­‐user  sites/ services  that  are  distributed  across  their  IP  block.  The  4th  quarter  included  some  of   4 http://en.wikipedia.org/wiki/CIDR_notation
the  busiest  shopping  months  of  the  year.  This,  combined  with  Amazon's  utilization   of  their  IP  blocks  (e.g.,  their  EC2  service),  accounted  for  Amazon  having  the  top  10  / 24  IP  blocks  by  number  of  unique  IPs  visited.  MySpace  and  Vkontakte  are  social   networking  sites  that  seem  to  distribute  their  user  load  and/or  content  among  a   number  of  web  server  IPs  in  their  block. The  middle  /16  IP  block,  displays  some  of  the  more  popular  hosting  and  service   providers  by  unique  IPs  visited,  such  as,  1&1,  Digital  United,  Taiwan  Fixed  Network,   and  HiNet.    It  is  interesting  that  when  looking  at  the  most  popular  IP  blocks  from  a   middle  aggregation  point,  /16  IP  blocks,  more  Asia  based  IP  blocks  bubble  to  the   top.  From  smaller  (/24  IP  blocks)  and  larger  (/8  IP  blocks)  IP  aggregation  points,   more  United  States  based,  ARIN  space  <inds  its  way  into  the  top  25  blocks  by  unique   IP  visited.  This  suggests  that  Asian  /  APNIC  service  and  hosting  providers  may   largely  be  constructed  of  /16  or  similar  sized  blocks.   /24 CIDR Block /16 CIDR Block /8 CIDR Block Rank Range Organization Range Organization Range 1 216.137.37.0/24 Amazon 74.208.0.0/16 1&1 Internet Inc. 74.208.0.0/8 2 216.137.39.0/24 Amazon 123.204.0.0/16 Digital United 69.0.0.0/8 3 216.137.41.0/24 Amazon 124.8.0.0/16 Taiwan Fixed Network 216.0.0.0/8 4 216.137.45.0/24 Amazon 114.44.0.0/16 HiNet 66.0.0.0/8 5 216.137.47.0/24 Amazon 219.85.0.0/16 Sony Network Taiwan 74.0.0.0/8 6 216.137.55.0/24 Amazon 124.218.0.0/16 Asia Pacific On-line 208.0.0.0/8 7 216.137.59.0/24 Amazon 122.121.0.0/16 HiNet 64.0.0.0/8 8 216.137.53.0/24 Amazon 220.136.0.0/16 HiNet 72.0.0.0/8 9 216.137.43.0/24 Amazon 125.230.0.0/16 HiNet 67.0.0.0/8 10 216.137.61.0/24 Amazon 114.47.0.0/16 HiNet 61.0.0.0/8 11 63.135.88.0/24 MySpace 112.104.0.0/16 Digital United 218.0.0.0/8 12 216.137.35.0/24 Amazon 59.117.0.0/16 HiNet 209.0.0.0/8 13 91.192.55.0/24 spamfighter.com 118.160.0.0/16 HiNet 118.0.0.0/8 14 93.186.229.0/24 Vkontakte.ru 74.125.0.0/16 Google Inc. 174.0.0.0/8 15 70.35.16.0/24 Netfirms, Inc. 218.172.0.0/16 HiNet 65.0.0.0/8 16 93.186.230.0/24 Vkontakte.ru 69.192.0.0/16 Akamai Technologies 122.0.0.0/8 17 64.71.33.0/24 affinity.com 96.17.0.0/16 Akamai Technologies 207.0.0.0/8 18 69.89.31.0/24 bluehost.com 96.6.0.0/16 Akamai Technologies 87.0.0.0/8 19 65.54.81.0/24 Microsoft.com 118.171.0.0/16 HiNet 220.0.0.0/8 20 64.12.24.0/24 aol.net 219.81.0.0/16 Taiwan Fixed Network 124.0.0.0/8 21 124.218.196.0/24 Asia Pacific On-line 114.40.0.0/16 HiNet 125.0.0.0/8 22 124.218.194.0/24 Asia Pacific On-line 219.84.0.0/16 Sony Network Taiwan 219.0.0.0/8 23 124.218.198.0/24 Asia Pacific On-line 218.163.0.0/16 HiNet 59.0.0.0/8 24 124.218.200.0/24 Asia Pacific On-line 61.31.0.0/16 Taiwan Fixed Network 96.0.0.0/8 25 124.218.202.0/24 Asia Pacific On-line 114.43.0.0/16 HiNet 82.0.0.0/8 To  get  a  clearer  picture  of  actual  organizations  with  a  large  number  of  visited  web   servers  (unique  web  server  IPs),  a  chart  was  created  breaking  out  unique  IPs  visited   per  autonomous  system.  An  autonomous  system  (AS)  is  a  collection  of  connected  IP  
blocks  under  the  control  a  group/organization.    The  <irst  and  third  most  popular  ASs   are  Asian,  which  correlates  with  our  previous  statement. ASN  Distribu0on Rank ASN Organization Percentage 1 AS3462 HINET Data Communication Business Group 13.36% 2 AS21844 ThePlanet.com Internet Services, Inc. 2.31% 3 AS9924 Taiwan Fixed Network, Telco and Network Service Provider. 1.53% 4 AS2914 NTT America, Inc. 1.36% 5 AS8560 1&1 Internet AG 1.33% 6 AS7132 AT&T Internet Services 1.27% 7 AS4780 Digital United Inc. 1.21% 8 AS33070 Rackspace.com, Ltd. 1.02% 9 AS4134 CHINANET-BACKBONE No.31,Jin-rong Street 1.01% 10 AS18182 Sony Network Taiwan Limited 1.01% 11 AS36351 SoftLayer Technologies Inc. 0.97% 12 AS26347 New Dream Network, LLC 0.95% 13 AS26496 GoDaddy.com, Inc. 0.95% 14 AS3269 TELECOM ITALIA 0.86% 15 AS209 Qwest Communications Company, LLC 0.82% 16 AS3356 Level 3 Communications 0.63% 17 AS20940 Akamai Technologies European AS 0.62% 18 AS15169 Google Inc. 0.53% 19 AS16276 OVH 0.50% 20 AS32244 Liquid Web, Inc. 0.48% 21 AS3215 France Telecom - Orange 0.43% 22 AS12322 PROXAD AS for Proxad/Free ISP 0.41% 23 AS3549 Global Crossing Ltd. 0.33% 24 AS22822 Limelight Networks, Inc. 0.33% 25 AS7482 Asia Pacific On-line Service Inc. 0.27%
Geography The  majority  of  requested  web  content  resides  on  servers  located  in  the  United   States.  With  the  exception  of  a  spike  in  October  and  part  of  November  for  content   located  in  Taiwan,  traf<ic  not  destined  for  non-­‐US  based  web  sites  was  fairly  evenly   distributed  across  servers  located  primarily  in  a  variety  of  countries  in  Europe  and   Asia. Top 10 Destinations By Country Q4 2009 0% 15.00% 30.00% 45.00% 60.00% United States Taiwan Germany France United Kingdom China Canada Italy Russian Federation Japan October November December Country October November December United States 35.73% 44.42% 55.74% Taiwan 34.22% 10.41% 3.15% Germany 2.76% 4.36% 4.32% France 1.82% 5.27% 2.84% United Kingdom 2.21% 3.42% 3.83% China 2.01% 2.70% 2.66% Canada 1.97% 2.54% 2.71% Italy 2.55% 1.63% 0.87% Russian Federation 1.42% 2.09% 1.83% Japan 1.64% 1.65% 1.61%
Top 10 Destinations By Region Q4 2009 0% 10.00% 20.00% 30.00% 40.00% Taipei California Texas Massachusetts Pennsylvania Arizona New York Illinois Taiwan Florida October November December Region October November December Taipei 30.14% 9.10% 2.67% California 6.94% 7.23% 8.87% Texas 4.87% 6.40% 8.33% Massachusetts 1.98% 2.71% 3.61% Pennsylvania 1.55% 2.06% 2.62% Arizona 1.53% 2.00% 2.65% New York 1.41% 1.92% 2.17% Illinois 1.30% 1.71% 2.15% Taiwan 3.26% 1.04% Florida 1.25% 1.64% 2.08% From  a  regional  perspective,  Taipei  hosted  much  of  the  Taiwanese  based  content   which  accounted  for  the  surge  in  October  and  November.  As  for  US  traf<ic,  both   California  and  Texas  account  for  the  bulk  of  content,  with  the  remainder  tending  to   be  located  on  the  East  Coast.
Top 10 Destinations By City Q4 2009 0% 10.00% 20.00% 30.00% 40.00% Taipei Houston Cambridge San Antonio Dallas Scottsdale Englewood Seattle Moscow Brea October November December City October November December Taipei 30.14% 9.10% 2.67% Houston 1.87% 2.48% 3.21% Cambridge 1.41% 1.98% 2.79% San Antonio 1.08% 1.40% 1.85% Dallas 0.98% 1.30% 1.73% Scottsdale 0.75% 1.00% 1.34% Englewood 0.77% 0.97% 1.30% Seattle 0.71% 0.91% 1.17% Moscow 0.71% 0.99% 0.93% Brea 0.66% 0.83% 1.12%
File  Types Many  assume  that  web  traf<ic  is   Top 10 File Types Q4 2009 dominated  by  HTML  content.  While   that  may  have  been  true  a  decade   ago,  the  media  rich,  dynamic  web   0% 7.50% 15.00% 22.50% applications  available  today  are   30.00% <illed  with  images,  formatting   jpeg 28.74% elements,  data  and  active  content.   gif 28.68% For  the  4th  quarter  JPEG  (28.74%)   gz 24.40% and  GIF  (28.68%)  images  alone   png 6.25% accounted  for  more  than  half  of  the   js 3.95% total  number  of  transactions.  This  is   css 1.82% a  testament  to  the  visual  nature  of   swf 1.14% the  web.  JavaScript,  the  ‘work  horse’   xml 0.72% txt 0.66% of  modern,  user-­‐friendly  web   jpg 0.57% applications  was  responsible  for   only  3.95%  of  transactions.  HTML   <iles  fell  just  outside  of  the  top  10   and  drove  0.57%  of  traf<ic. Request  Method Predictably,  GET  requests  account   INVALID 0.04% 0.24% for  the  majority  of  traf<ic.  Generally   0% speaking,  GET  and  POST  requests   86.58% are  the  most  often-­‐used   GET 83.46% 96.29% communication  methods  employed   7.18% by  web  applications,  the  difference   POST 15.16% being  that  a  GET  request  passes   3.67% 0.14% request  variables  within  the  URL   HEAD 0.07% itself  while  POST  requests  pass   0% variables  as  a  portion  of  the  request   0% MOVE 0% header.  Each  approach  has   0% advantages  and  disadvantages  but   6.04% CONNECT 1.05% given  size  limitations  for  GET   0.02% requests,  the  POST  method  tends  to   0% 25.00% 50.00% 75.00% 100.00% be  reserved  for  situations  such  as   <illing  out  a  web  form  when  more   substantial  amounts  of  data  need  to   Transactions Request Size Response Size be  transmitted,  while  GET  requests   are  leveraged  for  general  web  page   rendering.  It  is,  however,   interesting  to  note  the  percentages  of  overall  traf<ic  related  to  request  and  response   size.  Even  though  POST  requests  accounted  for  7.18%  of  transactions  during  the   quarter,  (given  their  use  in  uploading  content),  such  requests  were  responsible  for  
more  than  twice  as  much  (15.16%)  of  total  outbound  web  traf<ic.  HTTP  CONNECT   requests  by  contrast  have  the  opposite  effect.  Such  requests  are  used  to  initiate   traf<ic  on  an  alternate  port.  As  such  the  requests  are  limited  in  size.   Response  Code Top 10 Response Codes Q4 2009 0% 20.00% 40.00% 60.00% 80.00% 200 - OK 304 - Not Modified 8.94% 78.98% 302 - Found 3.22% 307 - Temporary Redirect 2.23% Invalid 2.00% 404 - Not Found 1.35% 204 - No Content 0.98% 403 - Forbidden 0.80% 301 - Moved Permanently 0.60% 206 - Partial Content 0.28% Just  over  4  out  of  5  requests  (80.29%)  returned  a  200  level  (success)  code   representing  that  the  content  had  been  delivered  and  no  further  action  was   required.  300  level  (redirection)  codes,  indicating    additional  action  required  by  the   requesting  browser  overall  accounted  for  15%  of  traf<ic.  Client  errors  (400)  were   relatively  rare  at  2.49%,  but  not  as  rare  as  server  errors  (500),  which  occurred  only   0.11%  of  the  time.  
Web  Browser  Sta0s0cs Browser  Version Browser Market Share By Month Q4 2009 80.0% 60.0% 40.0% 20.0% IE Firefox Safari 0% Opera Chrome Unknown Other October November December While  Internet  Explorer  clearly  continues  to  dominate,  we  are  witnessing  a  slow  but   steady  decline  in  overall  market  share.  Regardless,  other  browser  vendors  have  a   long  way  to  go  before  they  will  surpass  the  long  standing  market  leader.  We  saw  a   greater  than  6%  jump  in  market  share  for  Firefox,  during  the  month  of  December.   However  this  can  be  largely  attributed  to  improved  detection  methods  as  opposed  to   an  unexpected  surge  in  traf<ic.  You  will  note  that  Unknown  traf<ic  declined  a  similar   amount  during  the  same  time  period.  Unknown  traf<ic  accounts  for  a  reasonable   amount  of  traf<ic  as  today  -­‐  the  majority  of  desktop  applications  communicate  via   HTTP/HTTPS  for  a  variety  of  reasons  including  the  retrieval  of  additional  content,   providing  online  support,  downloading  patches  and  submitting  error  reports.  Safari,   Opera  and  Chrome  combined,  continue  to  account  for  less  than  two  percent  of  the   traf<ic  that  we’re  seeing.  It  will  be  interesting  to  watch  Chrome  in  the  coming  months   as  Google  is  starting  to  leverage  its  reach  to  promote  the  browser.
Internet Explorer Breakdown Q4 2009 Looking  at  the  breakdown  of   Internet  Explorer  traf<ic  for  the   quarter  is  particularly   concerning.  The  majority  of   5% enterprises  continue  to   maintain  Internet  Explorer  6.x   as  their  browser  of  choice.   1% While  IE  6  continues  to  be   supported  by  Microsoft,   meaning  that  patches  are   deployed  for  any  known   vulnerabilities,  it  lacks   48% numerous  security  features   46% present  in  IE  7  and  8.  IE  6  does   not  maintain  malicious  URL  and   phishing  block  lists,  a  feature   that  is  now  common  place  in  all   major  browsers  and  is  even   making  its  way  into  mobile   browsers.  Additionally,  IE  6   lacks  protections  such  as  Data   Execution  Prevention  (DEP)  and   IE 6.0 IE 7.0 Address  Space  Layout  Randomization   IE 8.0 IE Other (ASLR),  two  features  which  increase  the   complexity  of  executing  shellcode  should  a   remote  browser  exploit  be  uncovered.  During  the  Operation  Aurora  attack,  when   Google,  Adobe  and  other  high  pro<ile  enterprises  were  allegedly  in<iltrated  by   Chinese  attackers,  the  attacks  only  targeted  IE6.  While  IE  7  &  8  were  vulnerable  to   the  same  attack  vector,  reliable  exploit  code  had  not  been  produced  for  these   versions  on  the  browser  due  to  additional  protections  such  as  DEP  and  ASLR.  IE  8   also  added  a  critical  feature  which  has  now  been  adopted  by  chrome  -­‐  the  inclusion   of  cross-­‐site  scripting  protection,  yet  another  feature  that  IE  6  lacks.  It  is  vital  that   enterprises  move  away  from  IE  6,  even  though  it  continues  to  be  supported  by   Microsoft  and  adopt  IE  8  to  take  advantage  of  numerous  security  enhancements.   Google  has  indirectly  taken  an  important  step  toward  forcing  this  change  by   dropping  support  for  Google  Docs  and  Google  Sites  in  IE  6,  starting  in  March  2010. October November December Internet Explorer 75.31% 73.77% 72.21% Firefox 8.44% 8.87% 15.32% Safari 1.41% 1.38% 1.39% Opera 0.02% 0.06% 0.09% Chrome 0.06% 0.02% 0.03% Unknown 13.04% 14.18% 9.33% Other 1.72% 1.72% 1.63% 100.00% 100.00% 100.00%
User  Sta0s0cs Attackers  are  no  longer  targeting  web  and  email  servers.  Instead,  they  are   focusing  on  the  weakest  link  in  the  security  chain  -­‐  end  users.  Whether  such   attacks  leverage  technical  vulnerabilities,  or  more  likely,  social  engineering   attacks,  web  based,  client-­‐side  attacks  are  the  most  common  way  to   compromise  end  user  machines.  As  such  it’s  vital  for  enterprises  to   understand  user  behavior  on  the  web. URL  Categoriza0on Given  the  corporate  focus  of  Zscaler  clients  it  isn’t  surprising  that  categories  such  as   Professional  Services  and  Corporate  Marketing  would  top  the  list.  More  interesting   are  the  high  placements  of  personal  traf<ic  such  as  Shopping,  Sports,  Entertainment   and  games.  In  fact,  the  majority  of  sites  beyond  the  top  10  are  personal  in  nature.   Overall,  approximately  1/5  of  traf<ic  could  be  deemed  to  be  personal  in  nature.   While  Zscaler  delivers  an  enterprise  offering  it  is  not  uncommon  for  employees  to   leverage  corporate  assets  after  work  hours  for  personal  purposes  and  as  such,  some   of  this  traf<ic  was  likely  generated  outside  of  work  hours. Below  we  breakdown  a  select  number  of  individual  categories  to  reveal  the  top  10   domains  within  each. Search  Engines The  search  engine  game  remains  a  three  horse   Top Search Engines race,  with  Google  continuing  to  dominate  the   majority  of  traf<ic.  After  the  big  three,   contenders  are  hard  to  <ind.  Disney’s  Go.com   Other which  is  actually  powered  by  Yahoo!,  sat  in  4th   15% place  at  1.22%  and  Baidu,  a  powerhouse  in  the   Chinese  market  handled  1.00%  of  web  search   Microsoft traf<ic  for  Q4  2009. 10% Yahoo! Google 18% 57%
Social  networking The  dominance  of  Facebook  in   Top Social Networking Sites Q4 2009 the  social  networking  realm  is   clear.  Three  quarters  of  all  social   networking  traf<ic  traversing  the   Zscaler  network  is  destined  for   Other Facebook.  MySpace  has  solid   11% control  of  second  place  with   15%  of  traf<ic  but  the  gap   between  <irst  and  second  place   Myspace is  enormous  and  only  appears  to   15% be  getting  larger. It  is  also  interesting  to  consider   that  the  majority  of  traf<ic  in   these  statistics  is  corporate   traf<ic.  While  a  portion  of   requests  are  no  doubt  personal   Facebook in  nature,  this  also  suggests  that   74% Facebook  is  becoming  a  social   platform  of  choice  for   enterprises.  More  and  more,   corporations  are  attempting  to   leverage  social  networks  for  marketing,  recruiting  and  investigating  potential  new   hires. File  Sharing Si@mBIT,  a  Thailand  based  web   Top File Sharing Domains hosting  provider  describing   itself  as  “the  best  Thailand   Bittorrent  website  since  2005”   0% 10.00% 20.00% 30.00% led  statistics  for  the  quarter   40.00% with  37.49%  of  all  <ile  sharing   siambit.com 37.49% traf<ic.  The  third  largest   domain,  tb.in.th  is  also   filestube.com 25.31% controlled  by  Si@mBIT    and   tb.in.th 12.98% commanded  12.98%  of  traf<ic,   sftcdn.net 9.68% giving  Si@mBIT  approximately   iptorrents.com 3.06% half  of  the  traf<ic  for  the  quarter.   limewire.com 2.95% FilesTube,  a  search  engine   Other 1.98% dedicated  to  <ile  downloads  had   seedpeer.com 1.07% 25.31%  of  traf<ic.  
Government Q4  means  that  Christmas  is  on   Top 10 Government Domains the  way  and  it  would  appear   that  the  United  States  Postal   Service  (USPS)  was  a  popular   0% 5.00% 10.00% 15.00% destination  for  holiday   20.00% shoppers  looking  to  determine   if  their  gifts  would  arrive  on   usps.com 16.20% time.  USPS  accounted  for   nraila.org 5.14% 16.20%  of  government  related   weather.gov 3.60% traf<ic  during  the  quarter.   uspto.gov 2.25% www.sec.gov 1.73% state.fl.us 1.47% fema.gov 1.38% www.irs.gov 1.36% michigan.gov 1.12% military.com 1.03% Retail Q4  is  of  course  the  peak  online   Top 10 Shopping Sites shopping  season,  a  time  when   retailers  look  to  make  the   majority  of  their  pro<it  for  the   0% 1.00% 2.00% 3.00% 4.00% year.  If  web  traf<ic  is  any   indication,  Amazon  was  the   Amazon 3.63% big  winner,  having  claimed   ShopLocal.com 2.90% 3.63%  of  total  retail  traf<ic.   Macy’s 2.59% ShopLocal,  which  took  the   Shop.com 2.55% Overstock 1.88% number  two  spot,  is  not  a   JC Penny 1.87% retailer  itself  but  rather  a  site   Target 1.52% which  republishes  <lyers  for   Costco 1.27% local  stores  to  allow  user  to   Barnes & Noble 1.10% QVC 1.10% <ind  deals  speci<ic  to  their   geographic  area.  The  company   makes  money  through   advertising  on  the  site.
Security  Sta0s0cs Threats Next,  we’ll  breakdown  the  various  threats  that  we  see  on  a  daily  basis.  These  results   are  based  on  actual  end  user  traf<ic  and  therefore  re<lect  popular  and  active   malicious  sites  as  opposed  to  sites  that  may  exist  but  not  be  visited. Malware  By  IP  Address Worms,  viruses,  Trojans  and   Top 10 Malware IP Addresses other  forms  of  malware  can  be   found  just  about  everywhere  on   the  web  today.  However   0% 10.00%20.00% 30.00% 40.00% malicious  content  is  not   necessarily  hosted  at  sites  that   38.99.186.14 38.63% are  themselves  malicious.  More   208.71.120.24 25.68% and  more,  we’re  seeing  otherwise   208.71.121.24 13.41% legitimate  sites  hosting  malware   124.153.77.48 5.52% without  them  being  aware  of  it.   217.23.7.7 2.73% This  is  an  increasing  concern   64.14.29.50 1.32% given  the  trend  toward   216.86.150.237 1.01% 208.76.70.56 1.00% permitting  user  supplied  content   74.125.19.83 0.91% to  be  shared.  Unfortunately,  many   74.125.19.18 0.88% sites  are  doing  little  to  ensure   that  the  hosted  content  is  not   malicious  before  it  is  stored  for   others  to  access. Malware  by  Country Sites  hosted  in  the  United  States   overwhelmingly  hosted  the  majority  of   Top Countries Serving Malware malware  and  for  this  reason  we  have   broken  them  out  separately.  80.32%  of   malware  seen  during  Q4  2009  originated   from  US  based  servers.  This  should  not,   however,  be  interpreted  as  US-­‐based   Other traf<ic  being  particularly  risky,  rather  it’s   20% more  of  a  re<lection  of  the  fact  that  the   majority  of  traf<ic  inspected  was  destined   for  served  located  in  the  US.  This  can  be   seen  in  the  Geography  section  of  this   paper. United States 80%
Top 10 Countries Serving Malware (US Excluded) 5% 3% 5% 25% 6% 6% 6% 11% 20% 14% Netherlands India Germany China Cyprus Russian Federation United Kingdom Canada Korea, Republic of France Phishing The  top  phishing  site  blocked   Top 10 Phishing IP Addresses was  coolxd.com  -­‐  this   accounted  for  roughly  70%  of   the  quarter's  phishing   80.00% numbers.  The  site  itself,  was   0% 20.00% 40.00% 60.00% recently  removed  from  the   208.43.210.147 70.83% Internet.  This  scam  site  is   219.232.243.74 7.21% effectively  the  same  as  the   219.232.243.65 1.91% heyxd.com,  omgxd.com,  and   219.232.243.91 1.64% 219.232.243.75 1.47% imnotez.com  sites.  These  sites   219.232.243.15 0.84% steal  your  email/instant   219.232.243.90 0.61% messenger  credentials   219.232.241.178 0.57% 219.232.243.87 0.55% (username/password),  and   174.143.29.2 0.50% then  noti<ies  the  people  on   your  contact  list  to  check  out   the  site.  Advertisements,   fraud,  and/or  malware  are   then  spammed  to  and  through   victim  accounts.  The  sites  advertised  the  ability  to  provide  a  service  which  enables   users  to  IM  pictures  and  other  content  to  share  directly  to  a  forum.
Malicious  Domains Three  domains  accounted  for   Top 10 Malicious Domains roughly  55%  of  the  malicious   URLs  transactions: 0% 10.00% 20.00% 30.00% •adfarm.mediaplex.com •link4you.3322.org adfarm.mediaplex.com 24.01% •www.tns-­‐counter.ru link4you.3322.org 17.41% www.tns-counter.ru 13.33% adfarm.mediaplex.com,  has  been   www.winifixer.com 4.06% reported  to  be  involved  in  spam,   www.freegaming.de 2.96% adware/spyware,  phishing/ dt.tongji.linezing.com 2.25% img.12chan.org 1.72% scams,  and  browser  exploits5.   nspmotion.com 1.14% The  Mediaplex  website  details   acs86.com 0.69% how  the  company  "provides   stork27.dropbox.com 0.66% cross-­‐channel  advertising   technology  solutions  and   services  that  enable  marketers  to   achieve  one-­‐ Top Malicious Domains By Country United States to-­‐one   Canada messaging,   Russian Federation greater   China ef<iciencies   6% Germany and  a   3% Netherlands 5% competitive   Other edge  through   6% insightful   reporting  and  analytics” 6.  3322.org  is  a   DynDNS  provided  domain  that  has   44% served  malware  and  exploit  content  for   17% some  time7.  tns-­‐counter.ru  is  also   known  for  serving  adware/spyware/ malware 8. The  majority  of  malicious  sites  are   19% hosted  in  the  US,  with  a  full  63%  of  sites   residing  in  North  America.  This  is   however  more  a  re<lection  of  where   content  in  general  resides  as  opposed  to  North  American  content  representing  a   higher  overall  risk. 5 http://www.siteadvisor.com/sites/mediaplex.com/summary/ 6 http://www.mediaplex.com/about.shtml 7 http://isc.sans.org/diary.html?storyid=5710 8 http://www.siteadvisor.com/sites/tns-­‐counter.ru/summary/
Anonymizers Top 10 Anonymizers Over  30%  of  our   anonymizer  traf<ic  was  to   kproxy.com.  One  of  the   features  that  Zscaler   0% 10.00% 20.00% 30.00% 40.00% provides  to  customers,  is   policy  based  blocking  based   kproxy.com 30.51% on  page  categorization.  So   proxyswitcher.com 20.17% customers  have  the  ability   freeproxylist.org 8.03% to  block  users  from   archive.org 5.36% browsing  to/through  proxy   freeproxy.ru 3.12% sites.  kproxy.com  provides   privacy-world.com 1.83% a  simple  interface,  not   helllabs.net 1.76% unlike  Google’s,  to  browse   66.232.118.93 1.66% proxybridge.com 1.57% through,  with  SSL   ktunnel.com 1.39% encryption  as  an  additional   capability.  Of  the  popular   sites  that  kproxy  advertises   that  it  works  with  are   MySpace,  Facebook,  Gmail,   YouTube,  and  MegaUpload  -­‐  all  sites,  that  may  be  blocked  by  company  policies  as   they  are  not  work  related.  In  other  words,  users  are  generally  using  these  services  to   get  around  corporate  policies  and  URL  <iltering  rules  as  opposed  to  using  them  to   cloak  their  IP  address  from  an  external  source. Botnets Generally  speaking,  by   Top 10 Botnets IPs/Domains correlating  the  malicious   artifact  to  the  top  botnet   hosts,  enables  us  to   0% 12.50% 25.00% 37.50% describe  which  malware   50.00% campaigns  were  the  most   91.212.65.13 44.11% successful.  The  breakdown   66.235.175.5 15.67% is  as  follows,  and  should   77.221.133.227 9.80% not  be  of  surprise  to  the   88.80.7.152 8.39% security  community  for   88.80.5.3 7.05% HTTP  based  botnets: 77.221.133.189 5.74% 208.99.193.130 3.18% 1.Zeus/Zbot  variants meu89.net 1.91% 2.Fake  Anti-­‐Virus  variants 194.68.45.50 1.63% 3.Banker  Trojan  variants. 69.61.21.115 0.28% The  top  command  and   control  IP  address  seen,   91.212.65.13,  is  based  out   of  the  Ukraine  and  serviced   both  Zeus  and  FakeAV  infections.  The  whois  information  for  this  host  shows  it  
belonging  to  the  Eurohost/UralComp  IP  blocks.  FireEye  has  a  good  write-­‐up  of  this   "bad  actor"  from  almost  a  year  ago9  and  malwaredomainlist,  an  archive  of  malicious   web  domains  has  plenty  of  content  for  these  IP  blocks10 . While  Ukraine  and  Russian  IPs  make  up  a  large  number  of  the  botnet  C&C  servers,  it   was  a  little  surprising  to  see  that  Sweden  had  a  number  of  C&Cs  in  the  top  25: • 88.80.7.152 • 88.80.5.3 • 88.80.5.172 • 80.88.108.18 Further  analysis  of  some  of  the  Swedish  hosts  shows  them  belonging  to  PRQ  (http:// www.prq.se)  a  co-­‐location  and  hosting  provider.    Their  homepage  states  that  they   are  known  for  their  "boundless  commitment  to  free  speech"  and  "discrete  customer   relations  policy".  They  also  have  an  icon  on  their  website  that  states,  "data  retention   is  no  solution",  suggesting  minimal/no  logging.    In  other  words,  this  hosting  service   would  be  ideal  for  hosting  malicious  sites  and  remaining  protected  from   investigations  /  takedowns. Traffic Last,  but  not  least,  we’ll  investigate  traf<ic  patterns  which  would  not  be  expected   without  the  presence  of  errors  of  malicious  content. Bogon  IP  space Top 10 Bogon IP Addresses Bogon  (aka  darknet)  IP  addresses   represent  non-­‐routable  IP  blocks,   either  because  they  are  reserved   0% 2.00% 4.00% 6.00% 8.00% (for  example  RFC1918)  or  they   are  unallocated.  Occasionally,  we   1.1.1.1 7.74% 127.0.0.0 6.60% see  web  requests  to  bogon  IPs  -­‐   198.18.1.18 5.35% usually  this  is  to  RFC1918   1.2.3.4 4.34% 0.0.0.2 2.99% address  (internal  IP  addresses),   0.0.0.5 2.62% 198.18.1.15 2.60% and  the  requests  have  leaked  into   0.0.0.8 2.57% the  cloud  because  of  a  routing   198.18.1.2 2.20% 0.0.0.1 2.20% miscon<iguration  on  the   9 http://blog.fireeye.com/research/2009/03/bad-actors-part-6-eurohost-llc.html 10 http://www.malwaredomainlist.com/forums/index.php?board=23.0
Top 10 Bogon IP Address Blocks customer's  network.  However,   there  are  also,  several   0% occurrences  of  web  requests  to   1.75% 3.50% 5.25% 7.00% non-­‐RFC1918  bogons.  This  traf<ic   127.0.0.0/24 6.60% is  of  interest  as  it  represents   1.2.3.0/24 4.34% either  human  error  or  an  infected   0.0.0.0/24 2.62% 50.0.0.0/24 2.04% machine  that  is  randomly   169.254.1.0/24 1.11% scanning  IP  address  blocks   169.254.178.0/24 0.56% 169.254.200.0/24 0.53% looking  for  vulnerable  hosts. 169.254.8.0/24 0.37% 198.18.189.0/24 0.37% 0.1.0.0/24 0.34% Some  of  the  bogon  traf<ic  can  be   explained  as  follows: • The  1.1.1.1  and  127.0.0.0/8  and  1.2.3.0/24  subnets  are  likely  some  sort  of  test   scripts  that  folks  are  running. • The  169.254.0.0/16  addresses  are  part  of  the  Automatic  Private  Addressing   (APIPA)  of  hosts  when  DHCP  fails. The  50.0.0.0/24  IP  block  is  interesting,  though  yet  unexplained.  Googling  for  it   shows  that  it  is  an  IANA  reserved  block,  and  it  shows  up  in  some  OSPF  routing   templates.  It's  possible  that  this  block  is  a  commonly  used  reserve  block  in  some   intra-­‐organization  routing.  However,  the  only  IP  address  that  was  hit  in  this  block   was  50.0.0.82,  which  is  interesting.  It  is  possible  that  there  was  a  mistake  in  a  script   or  routing  statement.
Conclusion Understanding  web  traf<ic  is  critical  for  enterprises  seeking  to  manage  and  secure   their  networks.  Traf<ic  is  converging  on  the  web  at  a  rapid  pace.  A  decade  ago  we   leveraged  <irewalls  to  manage  traf<ic  on  networks  and  determine  which  users  could   access  which  resources.  Today,  traf<ic  is  not  neatly  segregated  into  buckets  based  on   protocols.  Regardless  of  the  traf<ic  that  we’re  dealing  with,  be  it  email,  instant   messaging,  P2P,  streaming  media,  etc.,  it  has  the  ability  to  be  tunneled  through   HTTP/HTTPS. At  the  same  time,  attackers  have  shifted  their  focus  to  target  end  users.  Some   attackers  take  a  shotgun  approach  by  striking  far  and  wide  without  concern  for  who   the  ultimate  victims  may  be.  This  is  the  approach  leveraged  by  those  who  build   botnets.  They  seek  infected  machines  and  they  do  not  discriminate.  On  the  other   side  of  the  coin,  Advanced  Persistent  Threats11  are  emerging  on  the  radars  of  CISOs   as  the  media  highlights  the  sophistication  of  attacks  on  corporations,  such  as  those   highlighted  in  the  Operation  Aurora  attacks  which  targeted  Google,  Adobe  and   others.  Regardless  of  the  approach,  the  majority  of  such  attacks  now  leverage  the   web  as  the  transport  medium.   Understanding  the  behaviors  of  end  users,  content  providers  and  attackers  on  the   web  can  help  us  to  better  manage  and  secure  networks.  We  hope  that  you  enjoyed   this,  our  <irst  quarterly  State  of  the  Web  report.   11 http://www.zscaler.com/apt.html
Appendix TLD  Breakdown Monthly  Summary  –  Top  TLDs  Visited Note: Pink shows larger fluctuations than yellow, and green shows no fluctuation Monthly Summary – Top TLDs by Transactions Popularity October 2009 November 2009 December 2009 1 COM COM COM 2 NET NET NET 3 ORG ORG ORG 4 AU AU AU 5 IN UK TV 6 TV IN ZA 7 UK TV IN 8 FR DE UK 9 PE PE DE 10 GOV FR GOV 11 EDU ZA EDU 12 DE GOV RU 13 RU NU FR 14 US EDU US 15 NU RU PE 16 IT IT CN 17 AR US IT 18 MX MX CA 19 CA CN SG 20 INFO AR MX 21 CO CA INFO 22 BR IE NU 23 CN INFO AR 24 ES TH PL 25 FM ES FM
Stateoftheweb q4-2009
Stateoftheweb q4-2009
Stateoftheweb q4-2009
Stateoftheweb q4-2009
Stateoftheweb q4-2009
Stateoftheweb q4-2009
Stateoftheweb q4-2009
Stateoftheweb q4-2009
Stateoftheweb q4-2009
Stateoftheweb q4-2009
Stateoftheweb q4-2009
Stateoftheweb q4-2009
Stateoftheweb q4-2009
Stateoftheweb q4-2009
Stateoftheweb q4-2009
Stateoftheweb q4-2009
Stateoftheweb q4-2009
Stateoftheweb q4-2009
Stateoftheweb q4-2009
Stateoftheweb q4-2009

Recommended

CamScanner Android Manual English
CamScanner Android Manual EnglishCamScanner Android Manual English
CamScanner Android Manual EnglishPHI Factory
 
CamScanner Iphone Manual English
CamScanner Iphone Manual EnglishCamScanner Iphone Manual English
CamScanner Iphone Manual EnglishPHI Factory
 
The MySQL Cluster API Developer Guide
The MySQL Cluster API Developer GuideThe MySQL Cluster API Developer Guide
The MySQL Cluster API Developer Guidewebhostingguy
 
Verio Web Hosting Virtual Server Handbook
Verio Web Hosting Virtual Server HandbookVerio Web Hosting Virtual Server Handbook
Verio Web Hosting Virtual Server Handbookwebhostingguy
 
Verio Web Hosting Virtual Server Handbook
Verio Web Hosting Virtual Server HandbookVerio Web Hosting Virtual Server Handbook
Verio Web Hosting Virtual Server Handbookwebhostingguy
 
Um8000 user guide_2-0
Um8000 user guide_2-0Um8000 user guide_2-0
Um8000 user guide_2-0daviscontrols
 
Ecdl v5 module 7 print
Ecdl v5 module 7 printEcdl v5 module 7 print
Ecdl v5 module 7 printMichael Lew
 
Data Export 2010 for MySQL
Data Export 2010 for MySQLData Export 2010 for MySQL
Data Export 2010 for MySQLwebhostingguy
 

Recommended

CamScanner Android Manual English
CamScanner Android Manual EnglishCamScanner Android Manual English
CamScanner Android Manual EnglishPHI Factory
 
CamScanner Iphone Manual English
CamScanner Iphone Manual EnglishCamScanner Iphone Manual English
CamScanner Iphone Manual EnglishPHI Factory
 
The MySQL Cluster API Developer Guide
The MySQL Cluster API Developer GuideThe MySQL Cluster API Developer Guide
The MySQL Cluster API Developer Guidewebhostingguy
 
Verio Web Hosting Virtual Server Handbook
Verio Web Hosting Virtual Server HandbookVerio Web Hosting Virtual Server Handbook
Verio Web Hosting Virtual Server Handbookwebhostingguy
 
Verio Web Hosting Virtual Server Handbook
Verio Web Hosting Virtual Server HandbookVerio Web Hosting Virtual Server Handbook
Verio Web Hosting Virtual Server Handbookwebhostingguy
 
Um8000 user guide_2-0
Um8000 user guide_2-0Um8000 user guide_2-0
Um8000 user guide_2-0daviscontrols
 
Ecdl v5 module 7 print
Ecdl v5 module 7 printEcdl v5 module 7 print
Ecdl v5 module 7 printMichael Lew
 
Data Export 2010 for MySQL
Data Export 2010 for MySQLData Export 2010 for MySQL
Data Export 2010 for MySQLwebhostingguy
 
Sap r3 basic_training_finance_en_v5
Sap r3 basic_training_finance_en_v5Sap r3 basic_training_finance_en_v5
Sap r3 basic_training_finance_en_v5Casst346
 
Parallels Plesk Panel 9 Client's Guide
Parallels Plesk Panel 9 Client's GuideParallels Plesk Panel 9 Client's Guide
Parallels Plesk Panel 9 Client's Guidewebhostingguy
 
Ecdl v5 module 4 print
Ecdl v5 module 4 printEcdl v5 module 4 print
Ecdl v5 module 4 printMichael Lew
 
R Ints
R IntsR Ints
R IntsAjay Ohri
 
Ecdl v5 module 3 print
Ecdl v5 module 3 printEcdl v5 module 3 print
Ecdl v5 module 3 printMichael Lew
 
Functional Specs Short
Functional Specs ShortFunctional Specs Short
Functional Specs Shortlisalugo
 
PlayBook userguide
PlayBook userguidePlayBook userguide
PlayBook userguidesameer_goswami
 
Parallels Plesk Panel 9 Reseller's Guide
Parallels Plesk Panel 9 Reseller's GuideParallels Plesk Panel 9 Reseller's Guide
Parallels Plesk Panel 9 Reseller's Guidewebhostingguy
 
End note
End noteEnd note
End noteRapassak Hetthong
 
Sap In-Memory IBM
Sap In-Memory IBMSap In-Memory IBM
Sap In-Memory IBMAbhilash Sidd
 
Manual smart notebook se mac
Manual smart notebook se macManual smart notebook se mac
Manual smart notebook se macecoiote
 
MS Word 2000
MS Word 2000MS Word 2000
MS Word 2000sumatipuri
 
Plesk Sitebuilder 4.5 for Linux/Unix Wizard User's Guide
Plesk Sitebuilder 4.5 for Linux/Unix Wizard User's GuidePlesk Sitebuilder 4.5 for Linux/Unix Wizard User's Guide
Plesk Sitebuilder 4.5 for Linux/Unix Wizard User's Guidewebhostingguy
 
Verio Web Hosting Virtual Server Handbook
Verio Web Hosting Virtual Server HandbookVerio Web Hosting Virtual Server Handbook
Verio Web Hosting Virtual Server Handbookwebhostingguy
 
8 2-sp1 administering-broker
8 2-sp1 administering-broker8 2-sp1 administering-broker
8 2-sp1 administering-brokerNugroho Hermanto
 
Google Search Quality Rating Program General Guidelines 2011
Google Search Quality Rating Program General Guidelines 2011Google Search Quality Rating Program General Guidelines 2011
Google Search Quality Rating Program General Guidelines 2011Interrocks, Koppelkracht, ELF Voetbal, Voetbalprimeur.nl en Blue Linking
 
CPanel 1.01 User Guide
CPanel 1.01 User GuideCPanel 1.01 User Guide
CPanel 1.01 User Guidewebhostingguy
 
Linux for professional
Linux for professionalLinux for professional
Linux for professionalBennethObilor
 
hp StorageWorks host bus adapter for Windows and Linux ...
hp StorageWorks host bus adapter for Windows and Linux ...hp StorageWorks host bus adapter for Windows and Linux ...
hp StorageWorks host bus adapter for Windows and Linux ...webhostingguy
 
Zeta Producer 9 CMS online manual
Zeta Producer 9 CMS online manualZeta Producer 9 CMS online manual
Zeta Producer 9 CMS online manualUwe Keim
 
Präsentation über die Entwicklungshilfeorganisation People help People - One ...
Präsentation über die Entwicklungshilfeorganisation People help People - One ...Präsentation über die Entwicklungshilfeorganisation People help People - One ...
Präsentation über die Entwicklungshilfeorganisation People help People - One ...PHPOW
 
Company presentation People help People - One World
Company presentation People help People - One WorldCompany presentation People help People - One World
Company presentation People help People - One WorldPHPOW
 

More Related Content

What's hot

Sap r3 basic_training_finance_en_v5
Sap r3 basic_training_finance_en_v5Sap r3 basic_training_finance_en_v5
Sap r3 basic_training_finance_en_v5Casst346
 
Parallels Plesk Panel 9 Client's Guide
Parallels Plesk Panel 9 Client's GuideParallels Plesk Panel 9 Client's Guide
Parallels Plesk Panel 9 Client's Guidewebhostingguy
 
Ecdl v5 module 4 print
Ecdl v5 module 4 printEcdl v5 module 4 print
Ecdl v5 module 4 printMichael Lew
 
Ecdl v5 module 3 print
Ecdl v5 module 3 printEcdl v5 module 3 print
Ecdl v5 module 3 printMichael Lew
 
Functional Specs Short
Functional Specs ShortFunctional Specs Short
Functional Specs Shortlisalugo
 
Parallels Plesk Panel 9 Reseller's Guide
Parallels Plesk Panel 9 Reseller's GuideParallels Plesk Panel 9 Reseller's Guide
Parallels Plesk Panel 9 Reseller's Guidewebhostingguy
 
Manual smart notebook se mac
Manual smart notebook se macManual smart notebook se mac
Manual smart notebook se macecoiote
 
Plesk Sitebuilder 4.5 for Linux/Unix Wizard User's Guide
Plesk Sitebuilder 4.5 for Linux/Unix Wizard User's GuidePlesk Sitebuilder 4.5 for Linux/Unix Wizard User's Guide
Plesk Sitebuilder 4.5 for Linux/Unix Wizard User's Guidewebhostingguy
 
Verio Web Hosting Virtual Server Handbook
Verio Web Hosting Virtual Server HandbookVerio Web Hosting Virtual Server Handbook
Verio Web Hosting Virtual Server Handbookwebhostingguy
 
8 2-sp1 administering-broker
8 2-sp1 administering-broker8 2-sp1 administering-broker
8 2-sp1 administering-brokerNugroho Hermanto
 
CPanel 1.01 User Guide
CPanel 1.01 User GuideCPanel 1.01 User Guide
CPanel 1.01 User Guidewebhostingguy
 
Linux for professional
Linux for professionalLinux for professional
Linux for professionalBennethObilor
 
hp StorageWorks host bus adapter for Windows and Linux ...
hp StorageWorks host bus adapter for Windows and Linux ...hp StorageWorks host bus adapter for Windows and Linux ...
hp StorageWorks host bus adapter for Windows and Linux ...webhostingguy
 
Zeta Producer 9 CMS online manual
Zeta Producer 9 CMS online manualZeta Producer 9 CMS online manual
Zeta Producer 9 CMS online manualUwe Keim
 

What's hot (20)

Sap r3 basic_training_finance_en_v5
Sap r3 basic_training_finance_en_v5Sap r3 basic_training_finance_en_v5
Sap r3 basic_training_finance_en_v5
 
Parallels Plesk Panel 9 Client's Guide
Parallels Plesk Panel 9 Client's GuideParallels Plesk Panel 9 Client's Guide
Parallels Plesk Panel 9 Client's Guide
 
Ecdl v5 module 4 print
Ecdl v5 module 4 printEcdl v5 module 4 print
Ecdl v5 module 4 print
 
R Ints
R IntsR Ints
R Ints
 
Ecdl v5 module 3 print
Ecdl v5 module 3 printEcdl v5 module 3 print
Ecdl v5 module 3 print
 
Functional Specs Short
Functional Specs ShortFunctional Specs Short
Functional Specs Short
 
PlayBook userguide
PlayBook userguidePlayBook userguide
PlayBook userguide
 
Parallels Plesk Panel 9 Reseller's Guide
Parallels Plesk Panel 9 Reseller's GuideParallels Plesk Panel 9 Reseller's Guide
Parallels Plesk Panel 9 Reseller's Guide
 
End note
End noteEnd note
End note
 
Sap In-Memory IBM
Sap In-Memory IBMSap In-Memory IBM
Sap In-Memory IBM
 
Manual smart notebook se mac
Manual smart notebook se macManual smart notebook se mac
Manual smart notebook se mac
 
MS Word 2000
MS Word 2000MS Word 2000
MS Word 2000
 
Plesk Sitebuilder 4.5 for Linux/Unix Wizard User's Guide
Plesk Sitebuilder 4.5 for Linux/Unix Wizard User's GuidePlesk Sitebuilder 4.5 for Linux/Unix Wizard User's Guide
Plesk Sitebuilder 4.5 for Linux/Unix Wizard User's Guide
 
Verio Web Hosting Virtual Server Handbook
Verio Web Hosting Virtual Server HandbookVerio Web Hosting Virtual Server Handbook
Verio Web Hosting Virtual Server Handbook
 
8 2-sp1 administering-broker
8 2-sp1 administering-broker8 2-sp1 administering-broker
8 2-sp1 administering-broker
 
Google Search Quality Rating Program General Guidelines 2011
Google Search Quality Rating Program General Guidelines 2011Google Search Quality Rating Program General Guidelines 2011
Google Search Quality Rating Program General Guidelines 2011
 
CPanel 1.01 User Guide
CPanel 1.01 User GuideCPanel 1.01 User Guide
CPanel 1.01 User Guide
 
Linux for professional
Linux for professionalLinux for professional
Linux for professional
 
hp StorageWorks host bus adapter for Windows and Linux ...
hp StorageWorks host bus adapter for Windows and Linux ...hp StorageWorks host bus adapter for Windows and Linux ...
hp StorageWorks host bus adapter for Windows and Linux ...
 
Zeta Producer 9 CMS online manual
Zeta Producer 9 CMS online manualZeta Producer 9 CMS online manual
Zeta Producer 9 CMS online manual
 

Viewers also liked

Präsentation über die Entwicklungshilfeorganisation People help People - One ...
Präsentation über die Entwicklungshilfeorganisation People help People - One ...Präsentation über die Entwicklungshilfeorganisation People help People - One ...
Präsentation über die Entwicklungshilfeorganisation People help People - One ...PHPOW
 
Company presentation People help People - One World
Company presentation People help People - One WorldCompany presentation People help People - One World
Company presentation People help People - One WorldPHPOW
 
Concept People help People - One World
Concept People help People - One WorldConcept People help People - One World
Concept People help People - One WorldPHPOW
 
#dmu14 Remarketing: Cómo optimizar tus tasas de conversión
#dmu14 Remarketing: Cómo optimizar tus tasas de conversión#dmu14 Remarketing: Cómo optimizar tus tasas de conversión
#dmu14 Remarketing: Cómo optimizar tus tasas de conversiónIgni
 
Misra, D.C.(2008) IFCs&Egov_ IIPA_ 28.2.08
Misra, D.C.(2008) IFCs&Egov_ IIPA_ 28.2.08Misra, D.C.(2008) IFCs&Egov_ IIPA_ 28.2.08
Misra, D.C.(2008) IFCs&Egov_ IIPA_ 28.2.08Dr D.C. Misra
 
People help People - One World / Aktueller Newsletter 3/2010
People help People - One World / Aktueller Newsletter 3/2010People help People - One World / Aktueller Newsletter 3/2010
People help People - One World / Aktueller Newsletter 3/2010PHPOW
 
The Outcome Economy
The Outcome EconomyThe Outcome Economy
The Outcome EconomyHelge Tennø
 

Viewers also liked (8)

Präsentation über die Entwicklungshilfeorganisation People help People - One ...
Präsentation über die Entwicklungshilfeorganisation People help People - One ...Präsentation über die Entwicklungshilfeorganisation People help People - One ...
Präsentation über die Entwicklungshilfeorganisation People help People - One ...
 
Company presentation People help People - One World
Company presentation People help People - One WorldCompany presentation People help People - One World
Company presentation People help People - One World
 
Xd 8550-6000
Xd 8550-6000Xd 8550-6000
Xd 8550-6000
 
Concept People help People - One World
Concept People help People - One WorldConcept People help People - One World
Concept People help People - One World
 
#dmu14 Remarketing: Cómo optimizar tus tasas de conversión
#dmu14 Remarketing: Cómo optimizar tus tasas de conversión#dmu14 Remarketing: Cómo optimizar tus tasas de conversión
#dmu14 Remarketing: Cómo optimizar tus tasas de conversión
 
Misra, D.C.(2008) IFCs&Egov_ IIPA_ 28.2.08
Misra, D.C.(2008) IFCs&Egov_ IIPA_ 28.2.08Misra, D.C.(2008) IFCs&Egov_ IIPA_ 28.2.08
Misra, D.C.(2008) IFCs&Egov_ IIPA_ 28.2.08
 
People help People - One World / Aktueller Newsletter 3/2010
People help People - One World / Aktueller Newsletter 3/2010People help People - One World / Aktueller Newsletter 3/2010
People help People - One World / Aktueller Newsletter 3/2010
 
The Outcome Economy
The Outcome EconomyThe Outcome Economy
The Outcome Economy
 

Similar to Stateoftheweb q4-2009

M Daemon E Mail Server Manual
M Daemon E Mail Server ManualM Daemon E Mail Server Manual
M Daemon E Mail Server Manualguestcf19c83
 
cynapspro endpoint data protection - user guide
cynapspro endpoint data protection - user guidecynapspro endpoint data protection - user guide
cynapspro endpoint data protection - user guidecynapspro GmbH
 
Gdfs sg246374
Gdfs sg246374Gdfs sg246374
Gdfs sg246374Accenture
 
Xi iii plus_userguide
Xi iii plus_userguideXi iii plus_userguide
Xi iii plus_userguideTelectronica
 
Java script tools guide cs6
Java script tools guide cs6Java script tools guide cs6
Java script tools guide cs6Sadiq Momin
 
B035-2447-220K.pdf
B035-2447-220K.pdfB035-2447-220K.pdf
B035-2447-220K.pdfdegido10
 
60950106 basis-latest-till-interview-questions
60950106 basis-latest-till-interview-questions60950106 basis-latest-till-interview-questions
60950106 basis-latest-till-interview-questionsRavic Kumar
 
MongoDB Use Case - Mobile App Backend
MongoDB Use Case - Mobile App BackendMongoDB Use Case - Mobile App Backend
MongoDB Use Case - Mobile App BackendLukas Korous
 
C sharp programming
C sharp programmingC sharp programming
C sharp programmingsinghadarsh
 
Fortigate utm-40-mr1
Fortigate utm-40-mr1Fortigate utm-40-mr1
Fortigate utm-40-mr1Yusuf Usmani
 

Similar to Stateoftheweb q4-2009 (20)

Ctfile
CtfileCtfile
Ctfile
 
C01508406
C01508406C01508406
C01508406
 
Amdin iws7 817-2179-10
Amdin iws7 817-2179-10Amdin iws7 817-2179-10
Amdin iws7 817-2179-10
 
R data
R dataR data
R data
 
M Daemon E Mail Server Manual
M Daemon E Mail Server ManualM Daemon E Mail Server Manual
M Daemon E Mail Server Manual
 
cynapspro endpoint data protection - user guide
cynapspro endpoint data protection - user guidecynapspro endpoint data protection - user guide
cynapspro endpoint data protection - user guide
 
Gdfs sg246374
Gdfs sg246374Gdfs sg246374
Gdfs sg246374
 
Xi iii plus_userguide
Xi iii plus_userguideXi iii plus_userguide
Xi iii plus_userguide
 
R Data
R DataR Data
R Data
 
Java script tools guide cs6
Java script tools guide cs6Java script tools guide cs6
Java script tools guide cs6
 
B035-2447-220K.pdf
B035-2447-220K.pdfB035-2447-220K.pdf
B035-2447-220K.pdf
 
60950106 basis-latest-till-interview-questions
60950106 basis-latest-till-interview-questions60950106 basis-latest-till-interview-questions
60950106 basis-latest-till-interview-questions
 
SEAMLESS MPLS
SEAMLESS MPLSSEAMLESS MPLS
SEAMLESS MPLS
 
MongoDB Use Case - Mobile App Backend
MongoDB Use Case - Mobile App BackendMongoDB Use Case - Mobile App Backend
MongoDB Use Case - Mobile App Backend
 
Z4 mz6musersguide
Z4 mz6musersguideZ4 mz6musersguide
Z4 mz6musersguide
 
C sharp programming
C sharp programmingC sharp programming
C sharp programming
 
C sharp programming[1]
C sharp programming[1]C sharp programming[1]
C sharp programming[1]
 
Tx16 wx user manual
Tx16 wx user manualTx16 wx user manual
Tx16 wx user manual
 
Novell login documentation and troubleshooting
Novell login documentation and troubleshootingNovell login documentation and troubleshooting
Novell login documentation and troubleshooting
 
Fortigate utm-40-mr1
Fortigate utm-40-mr1Fortigate utm-40-mr1
Fortigate utm-40-mr1
 

Stateoftheweb q4-2009

  • 1. State  of  the  Web  -­‐  Q4  2009 A  View  of  the  Web  From  an  End  User’s  Perspec:ve Zscaler  Labs Abstract Attackers  are  no  longer  targeting  web  and  email  servers.  Today,  they  are  attacking   enterprises  from  the  inside  out,  by  <irst  compromising  end  user  systems  and  then   leveraging  them  to  gain  access  to  con<idential  data.  As  such  it  is  imperative  that   organizations  have  an  understanding  of  what  is  happening  on  the  web.  As  a   Security-­‐as-­‐a-­‐Service  vendor,  Zscaler  has  a  unique  perspective  on  web  traf<ic.  With   millions  of  end  users  traversing  the  web  through  Zscaler’s  global  network  of  web   gateways,  we  are  able  to  better  understand  both  how  users  are  interacting  with   web  based  resources  and  how  attackers  may  be  targeting  end  users.  In  this,  our   <irst  quarterly  ‘State  of  the  Web’  report,  we  provide  a  window  into  the  web  from  an   end  user’s  perspective.
  • 2. Table  of  Contents Overview  .....................................................................................................................................3 Web  Traf/ic  Statistics  ..............................................................................................................3 Web  Server  Statistics  .......................................................................................................................3 TLDs  by  Unique  Domain  Visited  ...............................................................................................................4 TLDs  by  Total  Transactions   .........................................................................................................................6 Transaction  to  Domain  Ratio  .....................................................................................................................6 Top  Domains  Visited  ......................................................................................................................................8 CIDR  Block  Distribution  ...............................................................................................................................9 ASN  Distribution  ...........................................................................................................................................11 Geography   ........................................................................................................................................................12 File  Types  .........................................................................................................................................................15 Request  Method  ............................................................................................................................................15 Response  Code  ...............................................................................................................................................16 Web  Browser  Statistics   ..................................................................................................................17 Browser  Version   ............................................................................................................................................17 User  Statistics  ..................................................................................................................................19 URL  Categorization  ......................................................................................................................................19 Search  Engines  ...............................................................................................................................................19 Social  networking  .........................................................................................................................................20 File  Sharing  ......................................................................................................................................................20 Government  ....................................................................................................................................................21 Retail  ..................................................................................................................................................................21 Security  Statistics  ..................................................................................................................22 Threats  ...............................................................................................................................................22 Malware  By  IP  Address  ..............................................................................................................................22 Malware  by  Country  ....................................................................................................................................22 Phishing  ............................................................................................................................................................23 Malicious  Domains  .......................................................................................................................................24 Anonymizers  ...................................................................................................................................................25 Botnets  ..............................................................................................................................................................25 Traf/ic  ..................................................................................................................................................26 Bogon  IP  space  ...............................................................................................................................................26 Conclusion  ................................................................................................................................28 Appendix  ..................................................................................................................................29 TLD  Breakdown  ..............................................................................................................................29 Monthly  Summary  –  Top  TLDs  Visited  ................................................................................................29 Monthly  Summary  -­‐  Unique  Domains  Per  TLD  ................................................................................30 Categorization  Breakdown  ..........................................................................................................31 .COM  Breakdown  by  Category  ................................................................................................................31 .NET  Breakdown  by  Category  .................................................................................................................34 .ORG  Breakdown  by  Category  .................................................................................................................37 .INFO  Breakdown  by  Category  ................................................................................................................40 Top  Search  Queries  .........................................................................................................................49
  • 3. Overview Our  goal  in  producing  this  report  is  to  better  understand  traf<ic  on  the  web  today.   Security  and  IT  teams  across  organizations  are  tasked  with  managing  the  traf<ic  of   end  users  on  their  networks.  That  can  involve  restricting  access  for  various  business   purposes  and  protecting  end  users  from  external  threats.  This  is  a  tall  order  given   the  increasing  ease  of  access  to  web  based  services  that  often  permit  users  to  bypass   traditional  controls  -­‐  whether  accessing  corporate  resources  from  personal  devices   such  as  smart  phones  or  setting  up  applications  by  leveraging  cloud  based   resources. Zscaler  is  in  a  unique  position  to  observe  trends  in  web  traf<ic.  As  a  Security-­‐as-­‐a-­‐ Services  vendor,  Zscaler’s  network  of  web  gateways  continually  inspects  traf<ic  for   millions  of  end  users  around  the  globe.   There  are  a  number  of  great  reports  available  today  from  a  variety  of  organizations   to  help  us  better  understand  web  traf<ic.  However,  the  majority  of  such  reports  tend   to  focus  on  the  server  side  of  the  equation.  They  tend  to  look  at  the  technology  that   has  been  deployed  to  deliver  web  content  and  associated  security  issues  in  web   applications.  We  feel  that  there  is  a  need  to  better  understand  the  client  side  of  the   equation  -­‐  what  are  end  users  doing  on  the  web  and  how  are  attackers  targeting   them?  The  latter  part  of  this  question  is  especially  important  as  attackers  have   clearly  shifted  away  from  attacking  web  and  email  servers  to  targeting  end  users.   They  understand  that  end  user  systems  tend  to  represent  the  weakest  link  in  the   security  chain  and  they  are  exploiting  that  weakness  with  increasing  ef<iciency.  We   can  better  defend  against  such  attacks  by  better  understanding  exactly  what  is   occurring  on  the  web  and  it  is  our  hope  that  this  report  will  help  to  shed  some  light   on  that  very  topic. Web  Traffic  Sta0s0cs Web  Server  Sta0s0cs Zscaler  customers  visited  several  million  web  servers  during  the  4th  quarter  of   2009.  One  interesting  technique  for  visualizing  the  IP  addresses  of  the  web  servers   visited  is  through  a  heatmap.  The  below  graphic  was  generated  from  the   Measurement  Factory  software1  and  “uses  a  12th-­‐order  Hilbert  curve2  to  represent   the  entire  IPv4  address  space”.  In  the  graphic  below,  IP  addresses  visited  are   represented  by  white  pixels,  while  addresses  not  visited  are  displayed  as  black   pixels.  Non-­‐routable  or  reserved  space  is  identi<ied  in  gray  and  where  appropriate,   we  have  indicated  what  that  space  is  used  for.  It’s  a  fascinating  view  which  exposes   just  how  vast  the  Internet  truly  is.  Even  when  analyzing  traf<ic  from  millions  of  users   1 http://maps.measurement-factory.com/software/ipv4-heatmap.1.html 2A Hilbert Curve is a space filling curve that visits every point in a grid (in our case a 2^12 x 2^12 grid).
  • 4. over  the  course  of  three  months,  it  can  be  seen  that  much  of  the  Internet  remains   untouched. Hilbert  Curve  -­‐  All  Q4  2009  traffic  by  IP  address TLDs  by  Unique  Domain  Visited .com,  .org,  and  .net  top-­‐level  domains  (TLDs)   consistently  made  up  the  bulk  of  the  unique   Other 10% domains  visited  each  month.  .com  traf<ic  made  up   org 80.11%  of  the  unique  domains  visited  during  the   4% net quarter.  .net  had  over  4.96%  and  .org  accounted  for   5% 4.45%.  The  chart  below  shows  the  next  10  largest   TLDs  that  make  up  about  80%  of  the  remaining   11%  of  the  unique  domains  visited  in  Q4  of  2009. com 80%
  • 5. Top 10 TLDs By Unique Domain Per Month (Excluding .com/.net/.org) 0% 0.50% 1.00% 1.50% 2.00% 1.25% ru 1.1% 1.50% 1.04% uk 1.5% 1.22% 1.03% au 1.3% 1.30% 1.23% edu 1.3% 1.11% 0.74% de 1.0% 1.07% 0.59% info 0.6% 0.63% 0.63% us 0.6% 0.57% 0.56% fr 0.6% 0.49% 0.63% in 0.5% 0.47% 0.39% ca 0.5% 0.44% October November December There  were  a  number  of  similarities  with  a  few  <luctuations  within  the  top  10  TLDs   with  unique  domains  visited  from  month-­‐to-­‐month: • .ru  was  the  4th  most  popular  TLD  by  unique  domain  visited  in  October  and   December,  however  it  dropped  to  the  7th  spot  in  November. • .au,  .uk,  and  .edu  make  up  the  5-­‐7  spots,  with  the  exception  of  November   when  .uk  beat  out  .ru  for  the  4th  spot. The  chart  below  shows  the  breakdown  of  TLDs  based  on  total  number  of   transactions  as  opposed  to  unique  domains.  This  view  would  favor  those  TLDs   hosting  popular  sites  which  receive  higher  volumes  of  overall  traf<ic.
  • 6. TLDs  by  Total  Transac0ons Top 10 TLDs By Transaction Per Month (Excluding .com/.net) 0% 0.50% 1.00% 1.50% 2.00% 1.57% org 1.54% 1.44% 0.66% au 0.97% 0.78% 0.62% in 0.38% 0.41% 0.36% tv 0.35% 0.55% 0.29% uk 0.44% 0.41% 0.16% de 0.23% 0.26% 0.22% gov 0.19% 0.25% 0.24% fr 0.21% 0.18% 0.21% edu 0.18% 0.20% 0.23% pe 0.22% 0.16% October November December Transac0on  to  Domain  Ra0o The  data  from  the  top  TLDs  by  unique  domain  and  top  TLDs  by  transaction  can  be   combined  to  <ind:   • The  TLDs  with  the  highest  ratio  of  transactions  to  domains  –  indicating  a   large  number  of  transactions  across  a  small  subset  of  domains.    In  other   words,  there  are  only  a  few  unique  domains  in  the  TLD  that  make  it  popular. • The  TLDs  with  the  lowest  ratio  of  transactions  to  domains  –  indicating  a   number  of  domains  among  which  the  transactions  are  spread  out.  In  other   words,  the  unique  domains  that  have  a  small  number  of  visits  or  transactions.  
  • 7. October November December Rank TLD Ratio TLD Ratio TLD Ratio 1 nu 5063 nu 8083 net 3737 2 net 3617 net 3428 nu 2824 3 ly 2140 ly 1792 ly 1699 4 tv 1719 tv 1568 tv 1692 5 pe 1326 id 1267 fm 1307 6 fm 1140 pe 1159 lan 1260 7 in 803 lan 1153 pe 1228 8 com 726 fm 968 com 799 9 it 707 ir 807 in 765 10 id 677 com 702 im 713 11 aero 676 it 678 pf 701 12 hn 662 in 655 it 633 13 tr 655 th 622 gov 592 14 au 520 au 584 th 587 15 su 500 tr 531 vn 546 16 im 483 gr 515 au 517 17 gov 480 dk 503 ir 485 18 ke 422 local 471 za 463 19 ph 409 hn 398 hn 461 20 ec 400 gov 392 tr 436 21 int 391 mx 389 mx 417 22 co 355 ke 374 sg 382 23 fr 341 io 368 ke 380 24 th 330 co 331 va 372 25 mx 315 ec 325 ec 368 Well  utilized,  generic  TLDs  (gTLD),  such  as  .com,  will  have  a  high  ratio  because   domains  like  Google,  Facebook,  Amazon,  Yahoo,  Microsoft,  MySpace,  Twitter,  etc.   contain  a  large  number  of  the  transactions  to  that  TLD.  This  is  however  offset  to  a   certain  extent  because  there  are  also  a  large  number  of  popular  domains  on  these   gTLDs  and  these  unique  domains  will  lower  the  ratio  somewhat,  though  it  remains   relatively  high  overall.  For  example,  October  –  December  2009  saw  .com  ratios  of   726:1,  702:1,  and  799:1  respectively. It  is  interesting  to  further  analyze  domain  results  for  less  popular  TLDs  and  those   that  had  a  higher  ratio  than  the  gTLDs,  both  from  a  statistical  and  trending   perspective  as  well  as  from  a  security  perspective.  Miscreants  frequently  register   domains  with  TLDs  that  are  less  in  demand  because  they  are  cheaper,  and  in  some   cases  the  particular  domain  registry  (maintainer  of  the  TLD)  and/or  registrar   (maintainer  of  the  domain  record)  will  have  poor  abuse  handling  procedures.   Additionally,  the  registry  and/or  registrar  may  either  be  complicit  in  the  illegal   activity  or  be  in  a  jurisdiction/country  with  a  legal  system  that  protects  the  domain   from  being  de-­‐registered  or  having  the  registration  information  shared  with  law   enforcement.  TLDs  with  a  high-­‐ratio  of  transactions  per  unique  domain  per  TLD  
  • 8. have  one  or  more  domains  with  a  large  number  of  transactions.  It  is  interesting  to   sift  through  the  records  to  explain  the  high-­‐ratio  TLDs.  They  may  be  the  result  of  a   malicious  command  and  control  (C&C)  or  information  drop  server  that  has  a  large   number  of  transactions  beaconing  to  the  domain’s  server,  or  it  could  be  something   benign,  such  as  a  popular  social  networking  site  in  a  particular  country. One  such  example  of  a  benign  domain  within  a  TLD  that  bubbled  to  the  top  was  .ly.     This  domain  had  a  ratio  of  2140:1,  1792:1,  and  1699:1  in  the  October  –  December   timeframe.  These  ratios  were  more  than  double  the  ratios  that  .com  had  during   these  months.  This  high  ratio  is  explained  by  this  TLD  being  relatively  unpopular  as   far  as  unique  domains  go,  but  having  a  large  number  of  transactions  to  a  popular   domain  -­‐  namely  bit.ly,  a  popular  URL  shortening  service. The  .nu  TLD  had  even  higher  ratios  of  5063:1,  8083:1,  and  2824:1  in  Q4  2009.   The  .nu  TLD  is  assigned  to  the  island  state  of  Niue,  and  Wikipedia  states  that  the  TLD   “is  particularly  popular  in  Sweden,  Denmark,  the  Netherlands  and  Belgium,  as  nu  is   the  word  for  ‘now’  in  Swedish,  Danish,  and  Dutch.”  While  the  domain  may  be  popular   for  these  countries,  our  ratio  shows  that  a  relatively  small  number  of  domains  are   dominating  the  transactions  for  this  TLD. Running  a  query  against  the  Zscaler  NanoLogs  for  the  .nu  domains  and  count  of   transactions,  yielded  a  large  percentage  of  the  transactions  to  the  domain:   cvnxus.mine.nu.  The  transactions  to  the  domain  appear  as:   hxxp://  cvnxus.mine.nu:53/30080000 Further  analysis  revealed  that  there  were  several  bot  infected  hosts  that  were   beaconing  TCP  ACK  packets  to  this  host.    Zscaler  has  since  noti<ied  and  assisted   impacted  customers.  A  separate  white  paper  detailing  this  analysis  will  be  released. Top  Domains  Visited Many  of  the  most  visited  domains  are  actually  those  that  operate  behind  the  scenes.   liveperson.net  for  example  is  a  real-­‐time  support  tool  used  by  a  variety  of  large   online  retail  and  services  companies  such  as  Bank  of  America,  AT&T  and  IBM3.  As   such,  when  receiving  email  and  chat  based  customer  support  at  such  companies   certain  traf<ic  is  actually  redirected  to  the  liverperson.net  domain.  Top  domains  are   calculated  based  on  the  total  number  of  transactions.  As  such,  sites  delivering   images,  streaming  content  or  requiring  frequent  communication  of  some  form  tend   to  score  higher.  Advertising  based  traf<ic  was  very  prevalent  with  ad  management   platforms  such  as  doubleclick.net  and  yieldmanager.com,  both  landing  in  the  top  10.   Google,  Yahoo!  and  Facebook  all  ranked  high,  as  did  domains  owned  and  managed   by  them.  <bcdn.net  and  yimg.com  serve  up  Facebook  and  Yahoo!  content   respectively.  google-­‐analytics.com,  a  Google  tool  for  tracking  site  visitors  receives   signi<icant  traf<ic  due  to  the  fact  that  links  to  the  domain  are  posted  on  numerous   third  party  sites. 3 http://solutions.liveperson.com/company/customers/
  • 9. Top 10 Domains Visited By Month Q4 2009 0% 7.50% 15.00% 22.50% 30.00% liveperson.net google.com doubleclick.net fbcdn.net yahoo.com yimg.com facebook.com google-analytics.com yieldmanager.com login.icq.com October November December CIDR  Block  Distribu0on CIDR  notation  is  a  way  of  writing  a  block  of  IP  addresses,  where  the  suf<ix  number  is   the  number  of  bits  to  include  from  the  IP  for  the  block4 .  For  example: • 192.168.1.0/24  is  the  IP  block:  192.168.1.0-­‐192.168.1.255 • 192.168.0.0/16  is  the  IP  block:  192.168.0.0-­‐192.168.255.255 • 192.0.0.0/8  is  the  IP  block:  192.0.0.0-­‐192.255.255.255 The  chart  below  shows  the  top  25  most  popular,  highly  utilized  IP  blocks  based  on   Zscaler  customer  traf<ic.  These  results  are  displayed  in  three  ways:  (1)  a  narrow,  /24   IP  block,  viewpoint,  (2)  a  middle,  /16  IP  block,  viewpoint,  and  (3)  a  broader,  /8  IP   block,  viewpoint. The  narrow,  /24  IP  block,  viewpoint  is  largely  comprised  of  popular  end-­‐user  sites/ services  that  are  distributed  across  their  IP  block.  The  4th  quarter  included  some  of   4 http://en.wikipedia.org/wiki/CIDR_notation
  • 10. the  busiest  shopping  months  of  the  year.  This,  combined  with  Amazon's  utilization   of  their  IP  blocks  (e.g.,  their  EC2  service),  accounted  for  Amazon  having  the  top  10  / 24  IP  blocks  by  number  of  unique  IPs  visited.  MySpace  and  Vkontakte  are  social   networking  sites  that  seem  to  distribute  their  user  load  and/or  content  among  a   number  of  web  server  IPs  in  their  block. The  middle  /16  IP  block,  displays  some  of  the  more  popular  hosting  and  service   providers  by  unique  IPs  visited,  such  as,  1&1,  Digital  United,  Taiwan  Fixed  Network,   and  HiNet.    It  is  interesting  that  when  looking  at  the  most  popular  IP  blocks  from  a   middle  aggregation  point,  /16  IP  blocks,  more  Asia  based  IP  blocks  bubble  to  the   top.  From  smaller  (/24  IP  blocks)  and  larger  (/8  IP  blocks)  IP  aggregation  points,   more  United  States  based,  ARIN  space  <inds  its  way  into  the  top  25  blocks  by  unique   IP  visited.  This  suggests  that  Asian  /  APNIC  service  and  hosting  providers  may   largely  be  constructed  of  /16  or  similar  sized  blocks.   /24 CIDR Block /16 CIDR Block /8 CIDR Block Rank Range Organization Range Organization Range 1 216.137.37.0/24 Amazon 74.208.0.0/16 1&1 Internet Inc. 74.208.0.0/8 2 216.137.39.0/24 Amazon 123.204.0.0/16 Digital United 69.0.0.0/8 3 216.137.41.0/24 Amazon 124.8.0.0/16 Taiwan Fixed Network 216.0.0.0/8 4 216.137.45.0/24 Amazon 114.44.0.0/16 HiNet 66.0.0.0/8 5 216.137.47.0/24 Amazon 219.85.0.0/16 Sony Network Taiwan 74.0.0.0/8 6 216.137.55.0/24 Amazon 124.218.0.0/16 Asia Pacific On-line 208.0.0.0/8 7 216.137.59.0/24 Amazon 122.121.0.0/16 HiNet 64.0.0.0/8 8 216.137.53.0/24 Amazon 220.136.0.0/16 HiNet 72.0.0.0/8 9 216.137.43.0/24 Amazon 125.230.0.0/16 HiNet 67.0.0.0/8 10 216.137.61.0/24 Amazon 114.47.0.0/16 HiNet 61.0.0.0/8 11 63.135.88.0/24 MySpace 112.104.0.0/16 Digital United 218.0.0.0/8 12 216.137.35.0/24 Amazon 59.117.0.0/16 HiNet 209.0.0.0/8 13 91.192.55.0/24 spamfighter.com 118.160.0.0/16 HiNet 118.0.0.0/8 14 93.186.229.0/24 Vkontakte.ru 74.125.0.0/16 Google Inc. 174.0.0.0/8 15 70.35.16.0/24 Netfirms, Inc. 218.172.0.0/16 HiNet 65.0.0.0/8 16 93.186.230.0/24 Vkontakte.ru 69.192.0.0/16 Akamai Technologies 122.0.0.0/8 17 64.71.33.0/24 affinity.com 96.17.0.0/16 Akamai Technologies 207.0.0.0/8 18 69.89.31.0/24 bluehost.com 96.6.0.0/16 Akamai Technologies 87.0.0.0/8 19 65.54.81.0/24 Microsoft.com 118.171.0.0/16 HiNet 220.0.0.0/8 20 64.12.24.0/24 aol.net 219.81.0.0/16 Taiwan Fixed Network 124.0.0.0/8 21 124.218.196.0/24 Asia Pacific On-line 114.40.0.0/16 HiNet 125.0.0.0/8 22 124.218.194.0/24 Asia Pacific On-line 219.84.0.0/16 Sony Network Taiwan 219.0.0.0/8 23 124.218.198.0/24 Asia Pacific On-line 218.163.0.0/16 HiNet 59.0.0.0/8 24 124.218.200.0/24 Asia Pacific On-line 61.31.0.0/16 Taiwan Fixed Network 96.0.0.0/8 25 124.218.202.0/24 Asia Pacific On-line 114.43.0.0/16 HiNet 82.0.0.0/8 To  get  a  clearer  picture  of  actual  organizations  with  a  large  number  of  visited  web   servers  (unique  web  server  IPs),  a  chart  was  created  breaking  out  unique  IPs  visited   per  autonomous  system.  An  autonomous  system  (AS)  is  a  collection  of  connected  IP  
  • 11. blocks  under  the  control  a  group/organization.    The  <irst  and  third  most  popular  ASs   are  Asian,  which  correlates  with  our  previous  statement. ASN  Distribu0on Rank ASN Organization Percentage 1 AS3462 HINET Data Communication Business Group 13.36% 2 AS21844 ThePlanet.com Internet Services, Inc. 2.31% 3 AS9924 Taiwan Fixed Network, Telco and Network Service Provider. 1.53% 4 AS2914 NTT America, Inc. 1.36% 5 AS8560 1&1 Internet AG 1.33% 6 AS7132 AT&T Internet Services 1.27% 7 AS4780 Digital United Inc. 1.21% 8 AS33070 Rackspace.com, Ltd. 1.02% 9 AS4134 CHINANET-BACKBONE No.31,Jin-rong Street 1.01% 10 AS18182 Sony Network Taiwan Limited 1.01% 11 AS36351 SoftLayer Technologies Inc. 0.97% 12 AS26347 New Dream Network, LLC 0.95% 13 AS26496 GoDaddy.com, Inc. 0.95% 14 AS3269 TELECOM ITALIA 0.86% 15 AS209 Qwest Communications Company, LLC 0.82% 16 AS3356 Level 3 Communications 0.63% 17 AS20940 Akamai Technologies European AS 0.62% 18 AS15169 Google Inc. 0.53% 19 AS16276 OVH 0.50% 20 AS32244 Liquid Web, Inc. 0.48% 21 AS3215 France Telecom - Orange 0.43% 22 AS12322 PROXAD AS for Proxad/Free ISP 0.41% 23 AS3549 Global Crossing Ltd. 0.33% 24 AS22822 Limelight Networks, Inc. 0.33% 25 AS7482 Asia Pacific On-line Service Inc. 0.27%
  • 12. Geography The  majority  of  requested  web  content  resides  on  servers  located  in  the  United   States.  With  the  exception  of  a  spike  in  October  and  part  of  November  for  content   located  in  Taiwan,  traf<ic  not  destined  for  non-­‐US  based  web  sites  was  fairly  evenly   distributed  across  servers  located  primarily  in  a  variety  of  countries  in  Europe  and   Asia. Top 10 Destinations By Country Q4 2009 0% 15.00% 30.00% 45.00% 60.00% United States Taiwan Germany France United Kingdom China Canada Italy Russian Federation Japan October November December Country October November December United States 35.73% 44.42% 55.74% Taiwan 34.22% 10.41% 3.15% Germany 2.76% 4.36% 4.32% France 1.82% 5.27% 2.84% United Kingdom 2.21% 3.42% 3.83% China 2.01% 2.70% 2.66% Canada 1.97% 2.54% 2.71% Italy 2.55% 1.63% 0.87% Russian Federation 1.42% 2.09% 1.83% Japan 1.64% 1.65% 1.61%
  • 13. Top 10 Destinations By Region Q4 2009 0% 10.00% 20.00% 30.00% 40.00% Taipei California Texas Massachusetts Pennsylvania Arizona New York Illinois Taiwan Florida October November December Region October November December Taipei 30.14% 9.10% 2.67% California 6.94% 7.23% 8.87% Texas 4.87% 6.40% 8.33% Massachusetts 1.98% 2.71% 3.61% Pennsylvania 1.55% 2.06% 2.62% Arizona 1.53% 2.00% 2.65% New York 1.41% 1.92% 2.17% Illinois 1.30% 1.71% 2.15% Taiwan 3.26% 1.04% Florida 1.25% 1.64% 2.08% From  a  regional  perspective,  Taipei  hosted  much  of  the  Taiwanese  based  content   which  accounted  for  the  surge  in  October  and  November.  As  for  US  traf<ic,  both   California  and  Texas  account  for  the  bulk  of  content,  with  the  remainder  tending  to   be  located  on  the  East  Coast.
  • 14. Top 10 Destinations By City Q4 2009 0% 10.00% 20.00% 30.00% 40.00% Taipei Houston Cambridge San Antonio Dallas Scottsdale Englewood Seattle Moscow Brea October November December City October November December Taipei 30.14% 9.10% 2.67% Houston 1.87% 2.48% 3.21% Cambridge 1.41% 1.98% 2.79% San Antonio 1.08% 1.40% 1.85% Dallas 0.98% 1.30% 1.73% Scottsdale 0.75% 1.00% 1.34% Englewood 0.77% 0.97% 1.30% Seattle 0.71% 0.91% 1.17% Moscow 0.71% 0.99% 0.93% Brea 0.66% 0.83% 1.12%
  • 15. File  Types Many  assume  that  web  traf<ic  is   Top 10 File Types Q4 2009 dominated  by  HTML  content.  While   that  may  have  been  true  a  decade   ago,  the  media  rich,  dynamic  web   0% 7.50% 15.00% 22.50% applications  available  today  are   30.00% <illed  with  images,  formatting   jpeg 28.74% elements,  data  and  active  content.   gif 28.68% For  the  4th  quarter  JPEG  (28.74%)   gz 24.40% and  GIF  (28.68%)  images  alone   png 6.25% accounted  for  more  than  half  of  the   js 3.95% total  number  of  transactions.  This  is   css 1.82% a  testament  to  the  visual  nature  of   swf 1.14% the  web.  JavaScript,  the  ‘work  horse’   xml 0.72% txt 0.66% of  modern,  user-­‐friendly  web   jpg 0.57% applications  was  responsible  for   only  3.95%  of  transactions.  HTML   <iles  fell  just  outside  of  the  top  10   and  drove  0.57%  of  traf<ic. Request  Method Predictably,  GET  requests  account   INVALID 0.04% 0.24% for  the  majority  of  traf<ic.  Generally   0% speaking,  GET  and  POST  requests   86.58% are  the  most  often-­‐used   GET 83.46% 96.29% communication  methods  employed   7.18% by  web  applications,  the  difference   POST 15.16% being  that  a  GET  request  passes   3.67% 0.14% request  variables  within  the  URL   HEAD 0.07% itself  while  POST  requests  pass   0% variables  as  a  portion  of  the  request   0% MOVE 0% header.  Each  approach  has   0% advantages  and  disadvantages  but   6.04% CONNECT 1.05% given  size  limitations  for  GET   0.02% requests,  the  POST  method  tends  to   0% 25.00% 50.00% 75.00% 100.00% be  reserved  for  situations  such  as   <illing  out  a  web  form  when  more   substantial  amounts  of  data  need  to   Transactions Request Size Response Size be  transmitted,  while  GET  requests   are  leveraged  for  general  web  page   rendering.  It  is,  however,   interesting  to  note  the  percentages  of  overall  traf<ic  related  to  request  and  response   size.  Even  though  POST  requests  accounted  for  7.18%  of  transactions  during  the   quarter,  (given  their  use  in  uploading  content),  such  requests  were  responsible  for  
  • 16. more  than  twice  as  much  (15.16%)  of  total  outbound  web  traf<ic.  HTTP  CONNECT   requests  by  contrast  have  the  opposite  effect.  Such  requests  are  used  to  initiate   traf<ic  on  an  alternate  port.  As  such  the  requests  are  limited  in  size.   Response  Code Top 10 Response Codes Q4 2009 0% 20.00% 40.00% 60.00% 80.00% 200 - OK 304 - Not Modified 8.94% 78.98% 302 - Found 3.22% 307 - Temporary Redirect 2.23% Invalid 2.00% 404 - Not Found 1.35% 204 - No Content 0.98% 403 - Forbidden 0.80% 301 - Moved Permanently 0.60% 206 - Partial Content 0.28% Just  over  4  out  of  5  requests  (80.29%)  returned  a  200  level  (success)  code   representing  that  the  content  had  been  delivered  and  no  further  action  was   required.  300  level  (redirection)  codes,  indicating    additional  action  required  by  the   requesting  browser  overall  accounted  for  15%  of  traf<ic.  Client  errors  (400)  were   relatively  rare  at  2.49%,  but  not  as  rare  as  server  errors  (500),  which  occurred  only   0.11%  of  the  time.  
  • 17. Web  Browser  Sta0s0cs Browser  Version Browser Market Share By Month Q4 2009 80.0% 60.0% 40.0% 20.0% IE Firefox Safari 0% Opera Chrome Unknown Other October November December While  Internet  Explorer  clearly  continues  to  dominate,  we  are  witnessing  a  slow  but   steady  decline  in  overall  market  share.  Regardless,  other  browser  vendors  have  a   long  way  to  go  before  they  will  surpass  the  long  standing  market  leader.  We  saw  a   greater  than  6%  jump  in  market  share  for  Firefox,  during  the  month  of  December.   However  this  can  be  largely  attributed  to  improved  detection  methods  as  opposed  to   an  unexpected  surge  in  traf<ic.  You  will  note  that  Unknown  traf<ic  declined  a  similar   amount  during  the  same  time  period.  Unknown  traf<ic  accounts  for  a  reasonable   amount  of  traf<ic  as  today  -­‐  the  majority  of  desktop  applications  communicate  via   HTTP/HTTPS  for  a  variety  of  reasons  including  the  retrieval  of  additional  content,   providing  online  support,  downloading  patches  and  submitting  error  reports.  Safari,   Opera  and  Chrome  combined,  continue  to  account  for  less  than  two  percent  of  the   traf<ic  that  we’re  seeing.  It  will  be  interesting  to  watch  Chrome  in  the  coming  months   as  Google  is  starting  to  leverage  its  reach  to  promote  the  browser.
  • 18. Internet Explorer Breakdown Q4 2009 Looking  at  the  breakdown  of   Internet  Explorer  traf<ic  for  the   quarter  is  particularly   concerning.  The  majority  of   5% enterprises  continue  to   maintain  Internet  Explorer  6.x   as  their  browser  of  choice.   1% While  IE  6  continues  to  be   supported  by  Microsoft,   meaning  that  patches  are   deployed  for  any  known   vulnerabilities,  it  lacks   48% numerous  security  features   46% present  in  IE  7  and  8.  IE  6  does   not  maintain  malicious  URL  and   phishing  block  lists,  a  feature   that  is  now  common  place  in  all   major  browsers  and  is  even   making  its  way  into  mobile   browsers.  Additionally,  IE  6   lacks  protections  such  as  Data   Execution  Prevention  (DEP)  and   IE 6.0 IE 7.0 Address  Space  Layout  Randomization   IE 8.0 IE Other (ASLR),  two  features  which  increase  the   complexity  of  executing  shellcode  should  a   remote  browser  exploit  be  uncovered.  During  the  Operation  Aurora  attack,  when   Google,  Adobe  and  other  high  pro<ile  enterprises  were  allegedly  in<iltrated  by   Chinese  attackers,  the  attacks  only  targeted  IE6.  While  IE  7  &  8  were  vulnerable  to   the  same  attack  vector,  reliable  exploit  code  had  not  been  produced  for  these   versions  on  the  browser  due  to  additional  protections  such  as  DEP  and  ASLR.  IE  8   also  added  a  critical  feature  which  has  now  been  adopted  by  chrome  -­‐  the  inclusion   of  cross-­‐site  scripting  protection,  yet  another  feature  that  IE  6  lacks.  It  is  vital  that   enterprises  move  away  from  IE  6,  even  though  it  continues  to  be  supported  by   Microsoft  and  adopt  IE  8  to  take  advantage  of  numerous  security  enhancements.   Google  has  indirectly  taken  an  important  step  toward  forcing  this  change  by   dropping  support  for  Google  Docs  and  Google  Sites  in  IE  6,  starting  in  March  2010. October November December Internet Explorer 75.31% 73.77% 72.21% Firefox 8.44% 8.87% 15.32% Safari 1.41% 1.38% 1.39% Opera 0.02% 0.06% 0.09% Chrome 0.06% 0.02% 0.03% Unknown 13.04% 14.18% 9.33% Other 1.72% 1.72% 1.63% 100.00% 100.00% 100.00%
  • 19. User  Sta0s0cs Attackers  are  no  longer  targeting  web  and  email  servers.  Instead,  they  are   focusing  on  the  weakest  link  in  the  security  chain  -­‐  end  users.  Whether  such   attacks  leverage  technical  vulnerabilities,  or  more  likely,  social  engineering   attacks,  web  based,  client-­‐side  attacks  are  the  most  common  way  to   compromise  end  user  machines.  As  such  it’s  vital  for  enterprises  to   understand  user  behavior  on  the  web. URL  Categoriza0on Given  the  corporate  focus  of  Zscaler  clients  it  isn’t  surprising  that  categories  such  as   Professional  Services  and  Corporate  Marketing  would  top  the  list.  More  interesting   are  the  high  placements  of  personal  traf<ic  such  as  Shopping,  Sports,  Entertainment   and  games.  In  fact,  the  majority  of  sites  beyond  the  top  10  are  personal  in  nature.   Overall,  approximately  1/5  of  traf<ic  could  be  deemed  to  be  personal  in  nature.   While  Zscaler  delivers  an  enterprise  offering  it  is  not  uncommon  for  employees  to   leverage  corporate  assets  after  work  hours  for  personal  purposes  and  as  such,  some   of  this  traf<ic  was  likely  generated  outside  of  work  hours. Below  we  breakdown  a  select  number  of  individual  categories  to  reveal  the  top  10   domains  within  each. Search  Engines The  search  engine  game  remains  a  three  horse   Top Search Engines race,  with  Google  continuing  to  dominate  the   majority  of  traf<ic.  After  the  big  three,   contenders  are  hard  to  <ind.  Disney’s  Go.com   Other which  is  actually  powered  by  Yahoo!,  sat  in  4th   15% place  at  1.22%  and  Baidu,  a  powerhouse  in  the   Chinese  market  handled  1.00%  of  web  search   Microsoft traf<ic  for  Q4  2009. 10% Yahoo! Google 18% 57%
  • 20. Social  networking The  dominance  of  Facebook  in   Top Social Networking Sites Q4 2009 the  social  networking  realm  is   clear.  Three  quarters  of  all  social   networking  traf<ic  traversing  the   Zscaler  network  is  destined  for   Other Facebook.  MySpace  has  solid   11% control  of  second  place  with   15%  of  traf<ic  but  the  gap   between  <irst  and  second  place   Myspace is  enormous  and  only  appears  to   15% be  getting  larger. It  is  also  interesting  to  consider   that  the  majority  of  traf<ic  in   these  statistics  is  corporate   traf<ic.  While  a  portion  of   requests  are  no  doubt  personal   Facebook in  nature,  this  also  suggests  that   74% Facebook  is  becoming  a  social   platform  of  choice  for   enterprises.  More  and  more,   corporations  are  attempting  to   leverage  social  networks  for  marketing,  recruiting  and  investigating  potential  new   hires. File  Sharing Si@mBIT,  a  Thailand  based  web   Top File Sharing Domains hosting  provider  describing   itself  as  “the  best  Thailand   Bittorrent  website  since  2005”   0% 10.00% 20.00% 30.00% led  statistics  for  the  quarter   40.00% with  37.49%  of  all  <ile  sharing   siambit.com 37.49% traf<ic.  The  third  largest   domain,  tb.in.th  is  also   filestube.com 25.31% controlled  by  Si@mBIT    and   tb.in.th 12.98% commanded  12.98%  of  traf<ic,   sftcdn.net 9.68% giving  Si@mBIT  approximately   iptorrents.com 3.06% half  of  the  traf<ic  for  the  quarter.   limewire.com 2.95% FilesTube,  a  search  engine   Other 1.98% dedicated  to  <ile  downloads  had   seedpeer.com 1.07% 25.31%  of  traf<ic.  
  • 21. Government Q4  means  that  Christmas  is  on   Top 10 Government Domains the  way  and  it  would  appear   that  the  United  States  Postal   Service  (USPS)  was  a  popular   0% 5.00% 10.00% 15.00% destination  for  holiday   20.00% shoppers  looking  to  determine   if  their  gifts  would  arrive  on   usps.com 16.20% time.  USPS  accounted  for   nraila.org 5.14% 16.20%  of  government  related   weather.gov 3.60% traf<ic  during  the  quarter.   uspto.gov 2.25% www.sec.gov 1.73% state.fl.us 1.47% fema.gov 1.38% www.irs.gov 1.36% michigan.gov 1.12% military.com 1.03% Retail Q4  is  of  course  the  peak  online   Top 10 Shopping Sites shopping  season,  a  time  when   retailers  look  to  make  the   majority  of  their  pro<it  for  the   0% 1.00% 2.00% 3.00% 4.00% year.  If  web  traf<ic  is  any   indication,  Amazon  was  the   Amazon 3.63% big  winner,  having  claimed   ShopLocal.com 2.90% 3.63%  of  total  retail  traf<ic.   Macy’s 2.59% ShopLocal,  which  took  the   Shop.com 2.55% Overstock 1.88% number  two  spot,  is  not  a   JC Penny 1.87% retailer  itself  but  rather  a  site   Target 1.52% which  republishes  <lyers  for   Costco 1.27% local  stores  to  allow  user  to   Barnes & Noble 1.10% QVC 1.10% <ind  deals  speci<ic  to  their   geographic  area.  The  company   makes  money  through   advertising  on  the  site.
  • 22. Security  Sta0s0cs Threats Next,  we’ll  breakdown  the  various  threats  that  we  see  on  a  daily  basis.  These  results   are  based  on  actual  end  user  traf<ic  and  therefore  re<lect  popular  and  active   malicious  sites  as  opposed  to  sites  that  may  exist  but  not  be  visited. Malware  By  IP  Address Worms,  viruses,  Trojans  and   Top 10 Malware IP Addresses other  forms  of  malware  can  be   found  just  about  everywhere  on   the  web  today.  However   0% 10.00%20.00% 30.00% 40.00% malicious  content  is  not   necessarily  hosted  at  sites  that   38.99.186.14 38.63% are  themselves  malicious.  More   208.71.120.24 25.68% and  more,  we’re  seeing  otherwise   208.71.121.24 13.41% legitimate  sites  hosting  malware   124.153.77.48 5.52% without  them  being  aware  of  it.   217.23.7.7 2.73% This  is  an  increasing  concern   64.14.29.50 1.32% given  the  trend  toward   216.86.150.237 1.01% 208.76.70.56 1.00% permitting  user  supplied  content   74.125.19.83 0.91% to  be  shared.  Unfortunately,  many   74.125.19.18 0.88% sites  are  doing  little  to  ensure   that  the  hosted  content  is  not   malicious  before  it  is  stored  for   others  to  access. Malware  by  Country Sites  hosted  in  the  United  States   overwhelmingly  hosted  the  majority  of   Top Countries Serving Malware malware  and  for  this  reason  we  have   broken  them  out  separately.  80.32%  of   malware  seen  during  Q4  2009  originated   from  US  based  servers.  This  should  not,   however,  be  interpreted  as  US-­‐based   Other traf<ic  being  particularly  risky,  rather  it’s   20% more  of  a  re<lection  of  the  fact  that  the   majority  of  traf<ic  inspected  was  destined   for  served  located  in  the  US.  This  can  be   seen  in  the  Geography  section  of  this   paper. United States 80%
  • 23. Top 10 Countries Serving Malware (US Excluded) 5% 3% 5% 25% 6% 6% 6% 11% 20% 14% Netherlands India Germany China Cyprus Russian Federation United Kingdom Canada Korea, Republic of France Phishing The  top  phishing  site  blocked   Top 10 Phishing IP Addresses was  coolxd.com  -­‐  this   accounted  for  roughly  70%  of   the  quarter's  phishing   80.00% numbers.  The  site  itself,  was   0% 20.00% 40.00% 60.00% recently  removed  from  the   208.43.210.147 70.83% Internet.  This  scam  site  is   219.232.243.74 7.21% effectively  the  same  as  the   219.232.243.65 1.91% heyxd.com,  omgxd.com,  and   219.232.243.91 1.64% 219.232.243.75 1.47% imnotez.com  sites.  These  sites   219.232.243.15 0.84% steal  your  email/instant   219.232.243.90 0.61% messenger  credentials   219.232.241.178 0.57% 219.232.243.87 0.55% (username/password),  and   174.143.29.2 0.50% then  noti<ies  the  people  on   your  contact  list  to  check  out   the  site.  Advertisements,   fraud,  and/or  malware  are   then  spammed  to  and  through   victim  accounts.  The  sites  advertised  the  ability  to  provide  a  service  which  enables   users  to  IM  pictures  and  other  content  to  share  directly  to  a  forum.
  • 24. Malicious  Domains Three  domains  accounted  for   Top 10 Malicious Domains roughly  55%  of  the  malicious   URLs  transactions: 0% 10.00% 20.00% 30.00% •adfarm.mediaplex.com •link4you.3322.org adfarm.mediaplex.com 24.01% •www.tns-­‐counter.ru link4you.3322.org 17.41% www.tns-counter.ru 13.33% adfarm.mediaplex.com,  has  been   www.winifixer.com 4.06% reported  to  be  involved  in  spam,   www.freegaming.de 2.96% adware/spyware,  phishing/ dt.tongji.linezing.com 2.25% img.12chan.org 1.72% scams,  and  browser  exploits5.   nspmotion.com 1.14% The  Mediaplex  website  details   acs86.com 0.69% how  the  company  "provides   stork27.dropbox.com 0.66% cross-­‐channel  advertising   technology  solutions  and   services  that  enable  marketers  to   achieve  one-­‐ Top Malicious Domains By Country United States to-­‐one   Canada messaging,   Russian Federation greater   China ef<iciencies   6% Germany and  a   3% Netherlands 5% competitive   Other edge  through   6% insightful   reporting  and  analytics” 6.  3322.org  is  a   DynDNS  provided  domain  that  has   44% served  malware  and  exploit  content  for   17% some  time7.  tns-­‐counter.ru  is  also   known  for  serving  adware/spyware/ malware 8. The  majority  of  malicious  sites  are   19% hosted  in  the  US,  with  a  full  63%  of  sites   residing  in  North  America.  This  is   however  more  a  re<lection  of  where   content  in  general  resides  as  opposed  to  North  American  content  representing  a   higher  overall  risk. 5 http://www.siteadvisor.com/sites/mediaplex.com/summary/ 6 http://www.mediaplex.com/about.shtml 7 http://isc.sans.org/diary.html?storyid=5710 8 http://www.siteadvisor.com/sites/tns-­‐counter.ru/summary/
  • 25. Anonymizers Top 10 Anonymizers Over  30%  of  our   anonymizer  traf<ic  was  to   kproxy.com.  One  of  the   features  that  Zscaler   0% 10.00% 20.00% 30.00% 40.00% provides  to  customers,  is   policy  based  blocking  based   kproxy.com 30.51% on  page  categorization.  So   proxyswitcher.com 20.17% customers  have  the  ability   freeproxylist.org 8.03% to  block  users  from   archive.org 5.36% browsing  to/through  proxy   freeproxy.ru 3.12% sites.  kproxy.com  provides   privacy-world.com 1.83% a  simple  interface,  not   helllabs.net 1.76% unlike  Google’s,  to  browse   66.232.118.93 1.66% proxybridge.com 1.57% through,  with  SSL   ktunnel.com 1.39% encryption  as  an  additional   capability.  Of  the  popular   sites  that  kproxy  advertises   that  it  works  with  are   MySpace,  Facebook,  Gmail,   YouTube,  and  MegaUpload  -­‐  all  sites,  that  may  be  blocked  by  company  policies  as   they  are  not  work  related.  In  other  words,  users  are  generally  using  these  services  to   get  around  corporate  policies  and  URL  <iltering  rules  as  opposed  to  using  them  to   cloak  their  IP  address  from  an  external  source. Botnets Generally  speaking,  by   Top 10 Botnets IPs/Domains correlating  the  malicious   artifact  to  the  top  botnet   hosts,  enables  us  to   0% 12.50% 25.00% 37.50% describe  which  malware   50.00% campaigns  were  the  most   91.212.65.13 44.11% successful.  The  breakdown   66.235.175.5 15.67% is  as  follows,  and  should   77.221.133.227 9.80% not  be  of  surprise  to  the   88.80.7.152 8.39% security  community  for   88.80.5.3 7.05% HTTP  based  botnets: 77.221.133.189 5.74% 208.99.193.130 3.18% 1.Zeus/Zbot  variants meu89.net 1.91% 2.Fake  Anti-­‐Virus  variants 194.68.45.50 1.63% 3.Banker  Trojan  variants. 69.61.21.115 0.28% The  top  command  and   control  IP  address  seen,   91.212.65.13,  is  based  out   of  the  Ukraine  and  serviced   both  Zeus  and  FakeAV  infections.  The  whois  information  for  this  host  shows  it  
  • 26. belonging  to  the  Eurohost/UralComp  IP  blocks.  FireEye  has  a  good  write-­‐up  of  this   "bad  actor"  from  almost  a  year  ago9  and  malwaredomainlist,  an  archive  of  malicious   web  domains  has  plenty  of  content  for  these  IP  blocks10 . While  Ukraine  and  Russian  IPs  make  up  a  large  number  of  the  botnet  C&C  servers,  it   was  a  little  surprising  to  see  that  Sweden  had  a  number  of  C&Cs  in  the  top  25: • 88.80.7.152 • 88.80.5.3 • 88.80.5.172 • 80.88.108.18 Further  analysis  of  some  of  the  Swedish  hosts  shows  them  belonging  to  PRQ  (http:// www.prq.se)  a  co-­‐location  and  hosting  provider.    Their  homepage  states  that  they   are  known  for  their  "boundless  commitment  to  free  speech"  and  "discrete  customer   relations  policy".  They  also  have  an  icon  on  their  website  that  states,  "data  retention   is  no  solution",  suggesting  minimal/no  logging.    In  other  words,  this  hosting  service   would  be  ideal  for  hosting  malicious  sites  and  remaining  protected  from   investigations  /  takedowns. Traffic Last,  but  not  least,  we’ll  investigate  traf<ic  patterns  which  would  not  be  expected   without  the  presence  of  errors  of  malicious  content. Bogon  IP  space Top 10 Bogon IP Addresses Bogon  (aka  darknet)  IP  addresses   represent  non-­‐routable  IP  blocks,   either  because  they  are  reserved   0% 2.00% 4.00% 6.00% 8.00% (for  example  RFC1918)  or  they   are  unallocated.  Occasionally,  we   1.1.1.1 7.74% 127.0.0.0 6.60% see  web  requests  to  bogon  IPs  -­‐   198.18.1.18 5.35% usually  this  is  to  RFC1918   1.2.3.4 4.34% 0.0.0.2 2.99% address  (internal  IP  addresses),   0.0.0.5 2.62% 198.18.1.15 2.60% and  the  requests  have  leaked  into   0.0.0.8 2.57% the  cloud  because  of  a  routing   198.18.1.2 2.20% 0.0.0.1 2.20% miscon<iguration  on  the   9 http://blog.fireeye.com/research/2009/03/bad-actors-part-6-eurohost-llc.html 10 http://www.malwaredomainlist.com/forums/index.php?board=23.0
  • 27. Top 10 Bogon IP Address Blocks customer's  network.  However,   there  are  also,  several   0% occurrences  of  web  requests  to   1.75% 3.50% 5.25% 7.00% non-­‐RFC1918  bogons.  This  traf<ic   127.0.0.0/24 6.60% is  of  interest  as  it  represents   1.2.3.0/24 4.34% either  human  error  or  an  infected   0.0.0.0/24 2.62% 50.0.0.0/24 2.04% machine  that  is  randomly   169.254.1.0/24 1.11% scanning  IP  address  blocks   169.254.178.0/24 0.56% 169.254.200.0/24 0.53% looking  for  vulnerable  hosts. 169.254.8.0/24 0.37% 198.18.189.0/24 0.37% 0.1.0.0/24 0.34% Some  of  the  bogon  traf<ic  can  be   explained  as  follows: • The  1.1.1.1  and  127.0.0.0/8  and  1.2.3.0/24  subnets  are  likely  some  sort  of  test   scripts  that  folks  are  running. • The  169.254.0.0/16  addresses  are  part  of  the  Automatic  Private  Addressing   (APIPA)  of  hosts  when  DHCP  fails. The  50.0.0.0/24  IP  block  is  interesting,  though  yet  unexplained.  Googling  for  it   shows  that  it  is  an  IANA  reserved  block,  and  it  shows  up  in  some  OSPF  routing   templates.  It's  possible  that  this  block  is  a  commonly  used  reserve  block  in  some   intra-­‐organization  routing.  However,  the  only  IP  address  that  was  hit  in  this  block   was  50.0.0.82,  which  is  interesting.  It  is  possible  that  there  was  a  mistake  in  a  script   or  routing  statement.
  • 28. Conclusion Understanding  web  traf<ic  is  critical  for  enterprises  seeking  to  manage  and  secure   their  networks.  Traf<ic  is  converging  on  the  web  at  a  rapid  pace.  A  decade  ago  we   leveraged  <irewalls  to  manage  traf<ic  on  networks  and  determine  which  users  could   access  which  resources.  Today,  traf<ic  is  not  neatly  segregated  into  buckets  based  on   protocols.  Regardless  of  the  traf<ic  that  we’re  dealing  with,  be  it  email,  instant   messaging,  P2P,  streaming  media,  etc.,  it  has  the  ability  to  be  tunneled  through   HTTP/HTTPS. At  the  same  time,  attackers  have  shifted  their  focus  to  target  end  users.  Some   attackers  take  a  shotgun  approach  by  striking  far  and  wide  without  concern  for  who   the  ultimate  victims  may  be.  This  is  the  approach  leveraged  by  those  who  build   botnets.  They  seek  infected  machines  and  they  do  not  discriminate.  On  the  other   side  of  the  coin,  Advanced  Persistent  Threats11  are  emerging  on  the  radars  of  CISOs   as  the  media  highlights  the  sophistication  of  attacks  on  corporations,  such  as  those   highlighted  in  the  Operation  Aurora  attacks  which  targeted  Google,  Adobe  and   others.  Regardless  of  the  approach,  the  majority  of  such  attacks  now  leverage  the   web  as  the  transport  medium.   Understanding  the  behaviors  of  end  users,  content  providers  and  attackers  on  the   web  can  help  us  to  better  manage  and  secure  networks.  We  hope  that  you  enjoyed   this,  our  <irst  quarterly  State  of  the  Web  report.   11 http://www.zscaler.com/apt.html
  • 29. Appendix TLD  Breakdown Monthly  Summary  –  Top  TLDs  Visited Note: Pink shows larger fluctuations than yellow, and green shows no fluctuation Monthly Summary – Top TLDs by Transactions Popularity October 2009 November 2009 December 2009 1 COM COM COM 2 NET NET NET 3 ORG ORG ORG 4 AU AU AU 5 IN UK TV 6 TV IN ZA 7 UK TV IN 8 FR DE UK 9 PE PE DE 10 GOV FR GOV 11 EDU ZA EDU 12 DE GOV RU 13 RU NU FR 14 US EDU US 15 NU RU PE 16 IT IT CN 17 AR US IT 18 MX MX CA 19 CA CN SG 20 INFO AR MX 21 CO CA INFO 22 BR IE NU 23 CN INFO AR 24 ES TH PL 25 FM ES FM