1. State
of
the
Web
-‐
Q4
2009
A
View
of
the
Web
From
an
End
User’s
Perspec:ve
Zscaler
Labs
Abstract
Attackers
are
no
longer
targeting
web
and
email
servers.
Today,
they
are
attacking
enterprises
from
the
inside
out,
by
<irst
compromising
end
user
systems
and
then
leveraging
them
to
gain
access
to
con<idential
data.
As
such
it
is
imperative
that
organizations
have
an
understanding
of
what
is
happening
on
the
web.
As
a
Security-‐as-‐a-‐Service
vendor,
Zscaler
has
a
unique
perspective
on
web
traf<ic.
With
millions
of
end
users
traversing
the
web
through
Zscaler’s
global
network
of
web
gateways,
we
are
able
to
better
understand
both
how
users
are
interacting
with
web
based
resources
and
how
attackers
may
be
targeting
end
users.
In
this,
our
<irst
quarterly
‘State
of
the
Web’
report,
we
provide
a
window
into
the
web
from
an
end
user’s
perspective.
2. Table
of
Contents
Overview
.....................................................................................................................................3
Web
Traf/ic
Statistics
..............................................................................................................3
Web
Server
Statistics
.......................................................................................................................3
TLDs
by
Unique
Domain
Visited
...............................................................................................................4
TLDs
by
Total
Transactions
.........................................................................................................................6
Transaction
to
Domain
Ratio
.....................................................................................................................6
Top
Domains
Visited
......................................................................................................................................8
CIDR
Block
Distribution
...............................................................................................................................9
ASN
Distribution
...........................................................................................................................................11
Geography
........................................................................................................................................................12
File
Types
.........................................................................................................................................................15
Request
Method
............................................................................................................................................15
Response
Code
...............................................................................................................................................16
Web
Browser
Statistics
..................................................................................................................17
Browser
Version
............................................................................................................................................17
User
Statistics
..................................................................................................................................19
URL
Categorization
......................................................................................................................................19
Search
Engines
...............................................................................................................................................19
Social
networking
.........................................................................................................................................20
File
Sharing
......................................................................................................................................................20
Government
....................................................................................................................................................21
Retail
..................................................................................................................................................................21
Security
Statistics
..................................................................................................................22
Threats
...............................................................................................................................................22
Malware
By
IP
Address
..............................................................................................................................22
Malware
by
Country
....................................................................................................................................22
Phishing
............................................................................................................................................................23
Malicious
Domains
.......................................................................................................................................24
Anonymizers
...................................................................................................................................................25
Botnets
..............................................................................................................................................................25
Traf/ic
..................................................................................................................................................26
Bogon
IP
space
...............................................................................................................................................26
Conclusion
................................................................................................................................28
Appendix
..................................................................................................................................29
TLD
Breakdown
..............................................................................................................................29
Monthly
Summary
–
Top
TLDs
Visited
................................................................................................29
Monthly
Summary
-‐
Unique
Domains
Per
TLD
................................................................................30
Categorization
Breakdown
..........................................................................................................31
.COM
Breakdown
by
Category
................................................................................................................31
.NET
Breakdown
by
Category
.................................................................................................................34
.ORG
Breakdown
by
Category
.................................................................................................................37
.INFO
Breakdown
by
Category
................................................................................................................40
Top
Search
Queries
.........................................................................................................................49
3. Overview
Our
goal
in
producing
this
report
is
to
better
understand
traf<ic
on
the
web
today.
Security
and
IT
teams
across
organizations
are
tasked
with
managing
the
traf<ic
of
end
users
on
their
networks.
That
can
involve
restricting
access
for
various
business
purposes
and
protecting
end
users
from
external
threats.
This
is
a
tall
order
given
the
increasing
ease
of
access
to
web
based
services
that
often
permit
users
to
bypass
traditional
controls
-‐
whether
accessing
corporate
resources
from
personal
devices
such
as
smart
phones
or
setting
up
applications
by
leveraging
cloud
based
resources.
Zscaler
is
in
a
unique
position
to
observe
trends
in
web
traf<ic.
As
a
Security-‐as-‐a-‐
Services
vendor,
Zscaler’s
network
of
web
gateways
continually
inspects
traf<ic
for
millions
of
end
users
around
the
globe.
There
are
a
number
of
great
reports
available
today
from
a
variety
of
organizations
to
help
us
better
understand
web
traf<ic.
However,
the
majority
of
such
reports
tend
to
focus
on
the
server
side
of
the
equation.
They
tend
to
look
at
the
technology
that
has
been
deployed
to
deliver
web
content
and
associated
security
issues
in
web
applications.
We
feel
that
there
is
a
need
to
better
understand
the
client
side
of
the
equation
-‐
what
are
end
users
doing
on
the
web
and
how
are
attackers
targeting
them?
The
latter
part
of
this
question
is
especially
important
as
attackers
have
clearly
shifted
away
from
attacking
web
and
email
servers
to
targeting
end
users.
They
understand
that
end
user
systems
tend
to
represent
the
weakest
link
in
the
security
chain
and
they
are
exploiting
that
weakness
with
increasing
ef<iciency.
We
can
better
defend
against
such
attacks
by
better
understanding
exactly
what
is
occurring
on
the
web
and
it
is
our
hope
that
this
report
will
help
to
shed
some
light
on
that
very
topic.
Web
Traffic
Sta0s0cs
Web
Server
Sta0s0cs
Zscaler
customers
visited
several
million
web
servers
during
the
4th
quarter
of
2009.
One
interesting
technique
for
visualizing
the
IP
addresses
of
the
web
servers
visited
is
through
a
heatmap.
The
below
graphic
was
generated
from
the
Measurement
Factory
software1
and
“uses
a
12th-‐order
Hilbert
curve2
to
represent
the
entire
IPv4
address
space”.
In
the
graphic
below,
IP
addresses
visited
are
represented
by
white
pixels,
while
addresses
not
visited
are
displayed
as
black
pixels.
Non-‐routable
or
reserved
space
is
identi<ied
in
gray
and
where
appropriate,
we
have
indicated
what
that
space
is
used
for.
It’s
a
fascinating
view
which
exposes
just
how
vast
the
Internet
truly
is.
Even
when
analyzing
traf<ic
from
millions
of
users
1 http://maps.measurement-factory.com/software/ipv4-heatmap.1.html
2A Hilbert Curve is a space filling curve that visits every point in a grid (in our case a 2^12 x 2^12
grid).
4. over
the
course
of
three
months,
it
can
be
seen
that
much
of
the
Internet
remains
untouched.
Hilbert
Curve
-‐
All
Q4
2009
traffic
by
IP
address
TLDs
by
Unique
Domain
Visited
.com,
.org,
and
.net
top-‐level
domains
(TLDs)
consistently
made
up
the
bulk
of
the
unique
Other
10%
domains
visited
each
month.
.com
traf<ic
made
up
org 80.11%
of
the
unique
domains
visited
during
the
4%
net quarter.
.net
had
over
4.96%
and
.org
accounted
for
5%
4.45%.
The
chart
below
shows
the
next
10
largest
TLDs
that
make
up
about
80%
of
the
remaining
11%
of
the
unique
domains
visited
in
Q4
of
2009.
com
80%
5. Top 10 TLDs By Unique Domain Per Month (Excluding .com/.net/.org)
0% 0.50% 1.00% 1.50%
2.00%
1.25%
ru 1.1%
1.50%
1.04%
uk 1.5%
1.22%
1.03%
au 1.3%
1.30%
1.23%
edu 1.3%
1.11%
0.74%
de 1.0%
1.07%
0.59%
info 0.6%
0.63%
0.63%
us 0.6%
0.57%
0.56%
fr 0.6%
0.49%
0.63%
in 0.5%
0.47%
0.39%
ca 0.5%
0.44%
October November December
There
were
a
number
of
similarities
with
a
few
<luctuations
within
the
top
10
TLDs
with
unique
domains
visited
from
month-‐to-‐month:
• .ru
was
the
4th
most
popular
TLD
by
unique
domain
visited
in
October
and
December,
however
it
dropped
to
the
7th
spot
in
November.
• .au,
.uk,
and
.edu
make
up
the
5-‐7
spots,
with
the
exception
of
November
when
.uk
beat
out
.ru
for
the
4th
spot.
The
chart
below
shows
the
breakdown
of
TLDs
based
on
total
number
of
transactions
as
opposed
to
unique
domains.
This
view
would
favor
those
TLDs
hosting
popular
sites
which
receive
higher
volumes
of
overall
traf<ic.
6. TLDs
by
Total
Transac0ons
Top 10 TLDs By Transaction Per Month (Excluding .com/.net)
0% 0.50% 1.00% 1.50% 2.00%
1.57%
org 1.54%
1.44%
0.66%
au 0.97%
0.78%
0.62%
in 0.38%
0.41%
0.36%
tv 0.35%
0.55%
0.29%
uk 0.44%
0.41%
0.16%
de 0.23%
0.26%
0.22%
gov 0.19%
0.25%
0.24%
fr 0.21%
0.18%
0.21%
edu 0.18%
0.20%
0.23%
pe 0.22%
0.16%
October November December
Transac0on
to
Domain
Ra0o
The
data
from
the
top
TLDs
by
unique
domain
and
top
TLDs
by
transaction
can
be
combined
to
<ind:
• The
TLDs
with
the
highest
ratio
of
transactions
to
domains
–
indicating
a
large
number
of
transactions
across
a
small
subset
of
domains.
In
other
words,
there
are
only
a
few
unique
domains
in
the
TLD
that
make
it
popular.
• The
TLDs
with
the
lowest
ratio
of
transactions
to
domains
–
indicating
a
number
of
domains
among
which
the
transactions
are
spread
out.
In
other
words,
the
unique
domains
that
have
a
small
number
of
visits
or
transactions.
7. October November December
Rank TLD Ratio TLD Ratio TLD Ratio
1 nu 5063 nu 8083 net 3737
2 net 3617 net 3428 nu 2824
3 ly 2140 ly 1792 ly 1699
4 tv 1719 tv 1568 tv 1692
5 pe 1326 id 1267 fm 1307
6 fm 1140 pe 1159 lan 1260
7 in 803 lan 1153 pe 1228
8 com 726 fm 968 com 799
9 it 707 ir 807 in 765
10 id 677 com 702 im 713
11 aero 676 it 678 pf 701
12 hn 662 in 655 it 633
13 tr 655 th 622 gov 592
14 au 520 au 584 th 587
15 su 500 tr 531 vn 546
16 im 483 gr 515 au 517
17 gov 480 dk 503 ir 485
18 ke 422 local 471 za 463
19 ph 409 hn 398 hn 461
20 ec 400 gov 392 tr 436
21 int 391 mx 389 mx 417
22 co 355 ke 374 sg 382
23 fr 341 io 368 ke 380
24 th 330 co 331 va 372
25 mx 315 ec 325 ec 368
Well
utilized,
generic
TLDs
(gTLD),
such
as
.com,
will
have
a
high
ratio
because
domains
like
Google,
Facebook,
Amazon,
Yahoo,
Microsoft,
MySpace,
Twitter,
etc.
contain
a
large
number
of
the
transactions
to
that
TLD.
This
is
however
offset
to
a
certain
extent
because
there
are
also
a
large
number
of
popular
domains
on
these
gTLDs
and
these
unique
domains
will
lower
the
ratio
somewhat,
though
it
remains
relatively
high
overall.
For
example,
October
–
December
2009
saw
.com
ratios
of
726:1,
702:1,
and
799:1
respectively.
It
is
interesting
to
further
analyze
domain
results
for
less
popular
TLDs
and
those
that
had
a
higher
ratio
than
the
gTLDs,
both
from
a
statistical
and
trending
perspective
as
well
as
from
a
security
perspective.
Miscreants
frequently
register
domains
with
TLDs
that
are
less
in
demand
because
they
are
cheaper,
and
in
some
cases
the
particular
domain
registry
(maintainer
of
the
TLD)
and/or
registrar
(maintainer
of
the
domain
record)
will
have
poor
abuse
handling
procedures.
Additionally,
the
registry
and/or
registrar
may
either
be
complicit
in
the
illegal
activity
or
be
in
a
jurisdiction/country
with
a
legal
system
that
protects
the
domain
from
being
de-‐registered
or
having
the
registration
information
shared
with
law
enforcement.
TLDs
with
a
high-‐ratio
of
transactions
per
unique
domain
per
TLD
8. have
one
or
more
domains
with
a
large
number
of
transactions.
It
is
interesting
to
sift
through
the
records
to
explain
the
high-‐ratio
TLDs.
They
may
be
the
result
of
a
malicious
command
and
control
(C&C)
or
information
drop
server
that
has
a
large
number
of
transactions
beaconing
to
the
domain’s
server,
or
it
could
be
something
benign,
such
as
a
popular
social
networking
site
in
a
particular
country.
One
such
example
of
a
benign
domain
within
a
TLD
that
bubbled
to
the
top
was
.ly.
This
domain
had
a
ratio
of
2140:1,
1792:1,
and
1699:1
in
the
October
–
December
timeframe.
These
ratios
were
more
than
double
the
ratios
that
.com
had
during
these
months.
This
high
ratio
is
explained
by
this
TLD
being
relatively
unpopular
as
far
as
unique
domains
go,
but
having
a
large
number
of
transactions
to
a
popular
domain
-‐
namely
bit.ly,
a
popular
URL
shortening
service.
The
.nu
TLD
had
even
higher
ratios
of
5063:1,
8083:1,
and
2824:1
in
Q4
2009.
The
.nu
TLD
is
assigned
to
the
island
state
of
Niue,
and
Wikipedia
states
that
the
TLD
“is
particularly
popular
in
Sweden,
Denmark,
the
Netherlands
and
Belgium,
as
nu
is
the
word
for
‘now’
in
Swedish,
Danish,
and
Dutch.”
While
the
domain
may
be
popular
for
these
countries,
our
ratio
shows
that
a
relatively
small
number
of
domains
are
dominating
the
transactions
for
this
TLD.
Running
a
query
against
the
Zscaler
NanoLogs
for
the
.nu
domains
and
count
of
transactions,
yielded
a
large
percentage
of
the
transactions
to
the
domain:
cvnxus.mine.nu.
The
transactions
to
the
domain
appear
as:
hxxp://
cvnxus.mine.nu:53/30080000
Further
analysis
revealed
that
there
were
several
bot
infected
hosts
that
were
beaconing
TCP
ACK
packets
to
this
host.
Zscaler
has
since
noti<ied
and
assisted
impacted
customers.
A
separate
white
paper
detailing
this
analysis
will
be
released.
Top
Domains
Visited
Many
of
the
most
visited
domains
are
actually
those
that
operate
behind
the
scenes.
liveperson.net
for
example
is
a
real-‐time
support
tool
used
by
a
variety
of
large
online
retail
and
services
companies
such
as
Bank
of
America,
AT&T
and
IBM3.
As
such,
when
receiving
email
and
chat
based
customer
support
at
such
companies
certain
traf<ic
is
actually
redirected
to
the
liverperson.net
domain.
Top
domains
are
calculated
based
on
the
total
number
of
transactions.
As
such,
sites
delivering
images,
streaming
content
or
requiring
frequent
communication
of
some
form
tend
to
score
higher.
Advertising
based
traf<ic
was
very
prevalent
with
ad
management
platforms
such
as
doubleclick.net
and
yieldmanager.com,
both
landing
in
the
top
10.
Google,
Yahoo!
and
Facebook
all
ranked
high,
as
did
domains
owned
and
managed
by
them.
<bcdn.net
and
yimg.com
serve
up
Facebook
and
Yahoo!
content
respectively.
google-‐analytics.com,
a
Google
tool
for
tracking
site
visitors
receives
signi<icant
traf<ic
due
to
the
fact
that
links
to
the
domain
are
posted
on
numerous
third
party
sites.
3 http://solutions.liveperson.com/company/customers/
9. Top 10 Domains Visited By Month Q4 2009
0% 7.50% 15.00% 22.50% 30.00%
liveperson.net
google.com
doubleclick.net
fbcdn.net
yahoo.com
yimg.com
facebook.com
google-analytics.com
yieldmanager.com
login.icq.com
October November December
CIDR
Block
Distribu0on
CIDR
notation
is
a
way
of
writing
a
block
of
IP
addresses,
where
the
suf<ix
number
is
the
number
of
bits
to
include
from
the
IP
for
the
block4 .
For
example:
• 192.168.1.0/24
is
the
IP
block:
192.168.1.0-‐192.168.1.255
• 192.168.0.0/16
is
the
IP
block:
192.168.0.0-‐192.168.255.255
• 192.0.0.0/8
is
the
IP
block:
192.0.0.0-‐192.255.255.255
The
chart
below
shows
the
top
25
most
popular,
highly
utilized
IP
blocks
based
on
Zscaler
customer
traf<ic.
These
results
are
displayed
in
three
ways:
(1)
a
narrow,
/24
IP
block,
viewpoint,
(2)
a
middle,
/16
IP
block,
viewpoint,
and
(3)
a
broader,
/8
IP
block,
viewpoint.
The
narrow,
/24
IP
block,
viewpoint
is
largely
comprised
of
popular
end-‐user
sites/
services
that
are
distributed
across
their
IP
block.
The
4th
quarter
included
some
of
4 http://en.wikipedia.org/wiki/CIDR_notation
10. the
busiest
shopping
months
of
the
year.
This,
combined
with
Amazon's
utilization
of
their
IP
blocks
(e.g.,
their
EC2
service),
accounted
for
Amazon
having
the
top
10
/
24
IP
blocks
by
number
of
unique
IPs
visited.
MySpace
and
Vkontakte
are
social
networking
sites
that
seem
to
distribute
their
user
load
and/or
content
among
a
number
of
web
server
IPs
in
their
block.
The
middle
/16
IP
block,
displays
some
of
the
more
popular
hosting
and
service
providers
by
unique
IPs
visited,
such
as,
1&1,
Digital
United,
Taiwan
Fixed
Network,
and
HiNet.
It
is
interesting
that
when
looking
at
the
most
popular
IP
blocks
from
a
middle
aggregation
point,
/16
IP
blocks,
more
Asia
based
IP
blocks
bubble
to
the
top.
From
smaller
(/24
IP
blocks)
and
larger
(/8
IP
blocks)
IP
aggregation
points,
more
United
States
based,
ARIN
space
<inds
its
way
into
the
top
25
blocks
by
unique
IP
visited.
This
suggests
that
Asian
/
APNIC
service
and
hosting
providers
may
largely
be
constructed
of
/16
or
similar
sized
blocks.
/24 CIDR Block /16 CIDR Block /8 CIDR Block
Rank Range Organization Range Organization Range
1 216.137.37.0/24 Amazon 74.208.0.0/16 1&1 Internet Inc. 74.208.0.0/8
2 216.137.39.0/24 Amazon 123.204.0.0/16 Digital United 69.0.0.0/8
3 216.137.41.0/24 Amazon 124.8.0.0/16 Taiwan Fixed Network 216.0.0.0/8
4 216.137.45.0/24 Amazon 114.44.0.0/16 HiNet 66.0.0.0/8
5 216.137.47.0/24 Amazon 219.85.0.0/16 Sony Network Taiwan 74.0.0.0/8
6 216.137.55.0/24 Amazon 124.218.0.0/16 Asia Pacific On-line 208.0.0.0/8
7 216.137.59.0/24 Amazon 122.121.0.0/16 HiNet 64.0.0.0/8
8 216.137.53.0/24 Amazon 220.136.0.0/16 HiNet 72.0.0.0/8
9 216.137.43.0/24 Amazon 125.230.0.0/16 HiNet 67.0.0.0/8
10 216.137.61.0/24 Amazon 114.47.0.0/16 HiNet 61.0.0.0/8
11 63.135.88.0/24 MySpace 112.104.0.0/16 Digital United 218.0.0.0/8
12 216.137.35.0/24 Amazon 59.117.0.0/16 HiNet 209.0.0.0/8
13 91.192.55.0/24 spamfighter.com 118.160.0.0/16 HiNet 118.0.0.0/8
14 93.186.229.0/24 Vkontakte.ru 74.125.0.0/16 Google Inc. 174.0.0.0/8
15 70.35.16.0/24 Netfirms, Inc. 218.172.0.0/16 HiNet 65.0.0.0/8
16 93.186.230.0/24 Vkontakte.ru 69.192.0.0/16 Akamai Technologies 122.0.0.0/8
17 64.71.33.0/24 affinity.com 96.17.0.0/16 Akamai Technologies 207.0.0.0/8
18 69.89.31.0/24 bluehost.com 96.6.0.0/16 Akamai Technologies 87.0.0.0/8
19 65.54.81.0/24 Microsoft.com 118.171.0.0/16 HiNet 220.0.0.0/8
20 64.12.24.0/24 aol.net 219.81.0.0/16 Taiwan Fixed Network 124.0.0.0/8
21 124.218.196.0/24 Asia Pacific On-line 114.40.0.0/16 HiNet 125.0.0.0/8
22 124.218.194.0/24 Asia Pacific On-line 219.84.0.0/16 Sony Network Taiwan 219.0.0.0/8
23 124.218.198.0/24 Asia Pacific On-line 218.163.0.0/16 HiNet 59.0.0.0/8
24 124.218.200.0/24 Asia Pacific On-line 61.31.0.0/16 Taiwan Fixed Network 96.0.0.0/8
25 124.218.202.0/24 Asia Pacific On-line 114.43.0.0/16 HiNet 82.0.0.0/8
To
get
a
clearer
picture
of
actual
organizations
with
a
large
number
of
visited
web
servers
(unique
web
server
IPs),
a
chart
was
created
breaking
out
unique
IPs
visited
per
autonomous
system.
An
autonomous
system
(AS)
is
a
collection
of
connected
IP
11. blocks
under
the
control
a
group/organization.
The
<irst
and
third
most
popular
ASs
are
Asian,
which
correlates
with
our
previous
statement.
ASN
Distribu0on
Rank ASN Organization Percentage
1 AS3462 HINET Data Communication Business Group 13.36%
2 AS21844 ThePlanet.com Internet Services, Inc. 2.31%
3 AS9924 Taiwan Fixed Network, Telco and Network Service Provider. 1.53%
4 AS2914 NTT America, Inc. 1.36%
5 AS8560 1&1 Internet AG 1.33%
6 AS7132 AT&T Internet Services 1.27%
7 AS4780 Digital United Inc. 1.21%
8 AS33070 Rackspace.com, Ltd. 1.02%
9 AS4134 CHINANET-BACKBONE No.31,Jin-rong Street 1.01%
10 AS18182 Sony Network Taiwan Limited 1.01%
11 AS36351 SoftLayer Technologies Inc. 0.97%
12 AS26347 New Dream Network, LLC 0.95%
13 AS26496 GoDaddy.com, Inc. 0.95%
14 AS3269 TELECOM ITALIA 0.86%
15 AS209 Qwest Communications Company, LLC 0.82%
16 AS3356 Level 3 Communications 0.63%
17 AS20940 Akamai Technologies European AS 0.62%
18 AS15169 Google Inc. 0.53%
19 AS16276 OVH 0.50%
20 AS32244 Liquid Web, Inc. 0.48%
21 AS3215 France Telecom - Orange 0.43%
22 AS12322 PROXAD AS for Proxad/Free ISP 0.41%
23 AS3549 Global Crossing Ltd. 0.33%
24 AS22822 Limelight Networks, Inc. 0.33%
25 AS7482 Asia Pacific On-line Service Inc. 0.27%
12. Geography
The
majority
of
requested
web
content
resides
on
servers
located
in
the
United
States.
With
the
exception
of
a
spike
in
October
and
part
of
November
for
content
located
in
Taiwan,
traf<ic
not
destined
for
non-‐US
based
web
sites
was
fairly
evenly
distributed
across
servers
located
primarily
in
a
variety
of
countries
in
Europe
and
Asia.
Top 10 Destinations By Country Q4 2009
0% 15.00% 30.00% 45.00% 60.00%
United States
Taiwan
Germany
France
United Kingdom
China
Canada
Italy
Russian Federation
Japan
October November December
Country October November December
United States 35.73% 44.42% 55.74%
Taiwan 34.22% 10.41% 3.15%
Germany 2.76% 4.36% 4.32%
France 1.82% 5.27% 2.84%
United Kingdom 2.21% 3.42% 3.83%
China 2.01% 2.70% 2.66%
Canada 1.97% 2.54% 2.71%
Italy 2.55% 1.63% 0.87%
Russian Federation 1.42% 2.09% 1.83%
Japan 1.64% 1.65% 1.61%
13. Top 10 Destinations By Region Q4 2009
0% 10.00% 20.00% 30.00% 40.00%
Taipei
California
Texas
Massachusetts
Pennsylvania
Arizona
New York
Illinois
Taiwan
Florida
October November December
Region October November December
Taipei 30.14% 9.10% 2.67%
California 6.94% 7.23% 8.87%
Texas 4.87% 6.40% 8.33%
Massachusetts 1.98% 2.71% 3.61%
Pennsylvania 1.55% 2.06% 2.62%
Arizona 1.53% 2.00% 2.65%
New York 1.41% 1.92% 2.17%
Illinois 1.30% 1.71% 2.15%
Taiwan 3.26% 1.04%
Florida 1.25% 1.64% 2.08%
From
a
regional
perspective,
Taipei
hosted
much
of
the
Taiwanese
based
content
which
accounted
for
the
surge
in
October
and
November.
As
for
US
traf<ic,
both
California
and
Texas
account
for
the
bulk
of
content,
with
the
remainder
tending
to
be
located
on
the
East
Coast.
14. Top 10 Destinations By City Q4 2009
0% 10.00% 20.00%
30.00%
40.00%
Taipei
Houston
Cambridge
San Antonio
Dallas
Scottsdale
Englewood
Seattle
Moscow
Brea
October November December
City October November December
Taipei 30.14% 9.10% 2.67%
Houston 1.87% 2.48% 3.21%
Cambridge 1.41% 1.98% 2.79%
San Antonio 1.08% 1.40% 1.85%
Dallas 0.98% 1.30% 1.73%
Scottsdale 0.75% 1.00% 1.34%
Englewood 0.77% 0.97% 1.30%
Seattle 0.71% 0.91% 1.17%
Moscow 0.71% 0.99% 0.93%
Brea 0.66% 0.83% 1.12%
15. File
Types
Many
assume
that
web
traf<ic
is
Top 10 File Types Q4 2009 dominated
by
HTML
content.
While
that
may
have
been
true
a
decade
ago,
the
media
rich,
dynamic
web
0% 7.50% 15.00% 22.50% applications
available
today
are
30.00%
<illed
with
images,
formatting
jpeg 28.74% elements,
data
and
active
content.
gif 28.68% For
the
4th
quarter
JPEG
(28.74%)
gz 24.40% and
GIF
(28.68%)
images
alone
png 6.25% accounted
for
more
than
half
of
the
js 3.95% total
number
of
transactions.
This
is
css 1.82% a
testament
to
the
visual
nature
of
swf 1.14%
the
web.
JavaScript,
the
‘work
horse’
xml 0.72%
txt 0.66% of
modern,
user-‐friendly
web
jpg 0.57% applications
was
responsible
for
only
3.95%
of
transactions.
HTML
<iles
fell
just
outside
of
the
top
10
and
drove
0.57%
of
traf<ic.
Request
Method
Predictably,
GET
requests
account
INVALID
0.04%
0.24%
for
the
majority
of
traf<ic.
Generally
0% speaking,
GET
and
POST
requests
86.58% are
the
most
often-‐used
GET 83.46%
96.29% communication
methods
employed
7.18% by
web
applications,
the
difference
POST 15.16% being
that
a
GET
request
passes
3.67%
0.14%
request
variables
within
the
URL
HEAD 0.07% itself
while
POST
requests
pass
0%
variables
as
a
portion
of
the
request
0%
MOVE 0% header.
Each
approach
has
0%
advantages
and
disadvantages
but
6.04%
CONNECT 1.05% given
size
limitations
for
GET
0.02% requests,
the
POST
method
tends
to
0% 25.00% 50.00% 75.00% 100.00% be
reserved
for
situations
such
as
<illing
out
a
web
form
when
more
substantial
amounts
of
data
need
to
Transactions Request Size
Response Size
be
transmitted,
while
GET
requests
are
leveraged
for
general
web
page
rendering.
It
is,
however,
interesting
to
note
the
percentages
of
overall
traf<ic
related
to
request
and
response
size.
Even
though
POST
requests
accounted
for
7.18%
of
transactions
during
the
quarter,
(given
their
use
in
uploading
content),
such
requests
were
responsible
for
16. more
than
twice
as
much
(15.16%)
of
total
outbound
web
traf<ic.
HTTP
CONNECT
requests
by
contrast
have
the
opposite
effect.
Such
requests
are
used
to
initiate
traf<ic
on
an
alternate
port.
As
such
the
requests
are
limited
in
size.
Response
Code
Top 10 Response Codes Q4 2009
0% 20.00% 40.00% 60.00% 80.00%
200 - OK
304 - Not Modified 8.94% 78.98%
302 - Found 3.22%
307 - Temporary Redirect 2.23%
Invalid 2.00%
404 - Not Found 1.35%
204 - No Content 0.98%
403 - Forbidden 0.80%
301 - Moved Permanently 0.60%
206 - Partial Content 0.28%
Just
over
4
out
of
5
requests
(80.29%)
returned
a
200
level
(success)
code
representing
that
the
content
had
been
delivered
and
no
further
action
was
required.
300
level
(redirection)
codes,
indicating
additional
action
required
by
the
requesting
browser
overall
accounted
for
15%
of
traf<ic.
Client
errors
(400)
were
relatively
rare
at
2.49%,
but
not
as
rare
as
server
errors
(500),
which
occurred
only
0.11%
of
the
time.
17. Web
Browser
Sta0s0cs
Browser
Version
Browser Market Share By Month Q4 2009
80.0%
60.0%
40.0%
20.0%
IE
Firefox
Safari 0%
Opera
Chrome
Unknown
Other
October November December
While
Internet
Explorer
clearly
continues
to
dominate,
we
are
witnessing
a
slow
but
steady
decline
in
overall
market
share.
Regardless,
other
browser
vendors
have
a
long
way
to
go
before
they
will
surpass
the
long
standing
market
leader.
We
saw
a
greater
than
6%
jump
in
market
share
for
Firefox,
during
the
month
of
December.
However
this
can
be
largely
attributed
to
improved
detection
methods
as
opposed
to
an
unexpected
surge
in
traf<ic.
You
will
note
that
Unknown
traf<ic
declined
a
similar
amount
during
the
same
time
period.
Unknown
traf<ic
accounts
for
a
reasonable
amount
of
traf<ic
as
today
-‐
the
majority
of
desktop
applications
communicate
via
HTTP/HTTPS
for
a
variety
of
reasons
including
the
retrieval
of
additional
content,
providing
online
support,
downloading
patches
and
submitting
error
reports.
Safari,
Opera
and
Chrome
combined,
continue
to
account
for
less
than
two
percent
of
the
traf<ic
that
we’re
seeing.
It
will
be
interesting
to
watch
Chrome
in
the
coming
months
as
Google
is
starting
to
leverage
its
reach
to
promote
the
browser.
18. Internet Explorer Breakdown Q4 2009 Looking
at
the
breakdown
of
Internet
Explorer
traf<ic
for
the
quarter
is
particularly
concerning.
The
majority
of
5% enterprises
continue
to
maintain
Internet
Explorer
6.x
as
their
browser
of
choice.
1% While
IE
6
continues
to
be
supported
by
Microsoft,
meaning
that
patches
are
deployed
for
any
known
vulnerabilities,
it
lacks
48% numerous
security
features
46%
present
in
IE
7
and
8.
IE
6
does
not
maintain
malicious
URL
and
phishing
block
lists,
a
feature
that
is
now
common
place
in
all
major
browsers
and
is
even
making
its
way
into
mobile
browsers.
Additionally,
IE
6
lacks
protections
such
as
Data
Execution
Prevention
(DEP)
and
IE 6.0 IE 7.0 Address
Space
Layout
Randomization
IE 8.0 IE Other (ASLR),
two
features
which
increase
the
complexity
of
executing
shellcode
should
a
remote
browser
exploit
be
uncovered.
During
the
Operation
Aurora
attack,
when
Google,
Adobe
and
other
high
pro<ile
enterprises
were
allegedly
in<iltrated
by
Chinese
attackers,
the
attacks
only
targeted
IE6.
While
IE
7
&
8
were
vulnerable
to
the
same
attack
vector,
reliable
exploit
code
had
not
been
produced
for
these
versions
on
the
browser
due
to
additional
protections
such
as
DEP
and
ASLR.
IE
8
also
added
a
critical
feature
which
has
now
been
adopted
by
chrome
-‐
the
inclusion
of
cross-‐site
scripting
protection,
yet
another
feature
that
IE
6
lacks.
It
is
vital
that
enterprises
move
away
from
IE
6,
even
though
it
continues
to
be
supported
by
Microsoft
and
adopt
IE
8
to
take
advantage
of
numerous
security
enhancements.
Google
has
indirectly
taken
an
important
step
toward
forcing
this
change
by
dropping
support
for
Google
Docs
and
Google
Sites
in
IE
6,
starting
in
March
2010.
October November December
Internet Explorer 75.31% 73.77% 72.21%
Firefox 8.44% 8.87% 15.32%
Safari 1.41% 1.38% 1.39%
Opera 0.02% 0.06% 0.09%
Chrome 0.06% 0.02% 0.03%
Unknown 13.04% 14.18% 9.33%
Other 1.72% 1.72% 1.63%
100.00% 100.00% 100.00%
19. User
Sta0s0cs
Attackers
are
no
longer
targeting
web
and
email
servers.
Instead,
they
are
focusing
on
the
weakest
link
in
the
security
chain
-‐
end
users.
Whether
such
attacks
leverage
technical
vulnerabilities,
or
more
likely,
social
engineering
attacks,
web
based,
client-‐side
attacks
are
the
most
common
way
to
compromise
end
user
machines.
As
such
it’s
vital
for
enterprises
to
understand
user
behavior
on
the
web.
URL
Categoriza0on
Given
the
corporate
focus
of
Zscaler
clients
it
isn’t
surprising
that
categories
such
as
Professional
Services
and
Corporate
Marketing
would
top
the
list.
More
interesting
are
the
high
placements
of
personal
traf<ic
such
as
Shopping,
Sports,
Entertainment
and
games.
In
fact,
the
majority
of
sites
beyond
the
top
10
are
personal
in
nature.
Overall,
approximately
1/5
of
traf<ic
could
be
deemed
to
be
personal
in
nature.
While
Zscaler
delivers
an
enterprise
offering
it
is
not
uncommon
for
employees
to
leverage
corporate
assets
after
work
hours
for
personal
purposes
and
as
such,
some
of
this
traf<ic
was
likely
generated
outside
of
work
hours.
Below
we
breakdown
a
select
number
of
individual
categories
to
reveal
the
top
10
domains
within
each.
Search
Engines
The
search
engine
game
remains
a
three
horse
Top Search Engines race,
with
Google
continuing
to
dominate
the
majority
of
traf<ic.
After
the
big
three,
contenders
are
hard
to
<ind.
Disney’s
Go.com
Other which
is
actually
powered
by
Yahoo!,
sat
in
4th
15% place
at
1.22%
and
Baidu,
a
powerhouse
in
the
Chinese
market
handled
1.00%
of
web
search
Microsoft traf<ic
for
Q4
2009.
10%
Yahoo! Google
18% 57%
20. Social
networking
The
dominance
of
Facebook
in
Top Social Networking Sites Q4 2009 the
social
networking
realm
is
clear.
Three
quarters
of
all
social
networking
traf<ic
traversing
the
Zscaler
network
is
destined
for
Other Facebook.
MySpace
has
solid
11% control
of
second
place
with
15%
of
traf<ic
but
the
gap
between
<irst
and
second
place
Myspace
is
enormous
and
only
appears
to
15%
be
getting
larger.
It
is
also
interesting
to
consider
that
the
majority
of
traf<ic
in
these
statistics
is
corporate
traf<ic.
While
a
portion
of
requests
are
no
doubt
personal
Facebook in
nature,
this
also
suggests
that
74%
Facebook
is
becoming
a
social
platform
of
choice
for
enterprises.
More
and
more,
corporations
are
attempting
to
leverage
social
networks
for
marketing,
recruiting
and
investigating
potential
new
hires.
File
Sharing
Si@mBIT,
a
Thailand
based
web
Top File Sharing Domains hosting
provider
describing
itself
as
“the
best
Thailand
Bittorrent
website
since
2005”
0% 10.00% 20.00% 30.00% led
statistics
for
the
quarter
40.00%
with
37.49%
of
all
<ile
sharing
siambit.com 37.49%
traf<ic.
The
third
largest
domain,
tb.in.th
is
also
filestube.com 25.31%
controlled
by
Si@mBIT
and
tb.in.th 12.98%
commanded
12.98%
of
traf<ic,
sftcdn.net 9.68%
giving
Si@mBIT
approximately
iptorrents.com 3.06% half
of
the
traf<ic
for
the
quarter.
limewire.com 2.95% FilesTube,
a
search
engine
Other 1.98% dedicated
to
<ile
downloads
had
seedpeer.com 1.07%
25.31%
of
traf<ic.
21. Government
Q4
means
that
Christmas
is
on
Top 10 Government Domains the
way
and
it
would
appear
that
the
United
States
Postal
Service
(USPS)
was
a
popular
0% 5.00% 10.00% 15.00%
destination
for
holiday
20.00%
shoppers
looking
to
determine
if
their
gifts
would
arrive
on
usps.com 16.20%
time.
USPS
accounted
for
nraila.org 5.14%
16.20%
of
government
related
weather.gov 3.60%
traf<ic
during
the
quarter.
uspto.gov 2.25%
www.sec.gov 1.73%
state.fl.us 1.47%
fema.gov 1.38%
www.irs.gov 1.36%
michigan.gov 1.12%
military.com 1.03%
Retail
Q4
is
of
course
the
peak
online
Top 10 Shopping Sites shopping
season,
a
time
when
retailers
look
to
make
the
majority
of
their
pro<it
for
the
0% 1.00% 2.00% 3.00% 4.00% year.
If
web
traf<ic
is
any
indication,
Amazon
was
the
Amazon 3.63% big
winner,
having
claimed
ShopLocal.com 2.90% 3.63%
of
total
retail
traf<ic.
Macy’s 2.59%
ShopLocal,
which
took
the
Shop.com 2.55%
Overstock 1.88%
number
two
spot,
is
not
a
JC Penny 1.87% retailer
itself
but
rather
a
site
Target 1.52% which
republishes
<lyers
for
Costco 1.27% local
stores
to
allow
user
to
Barnes & Noble 1.10%
QVC 1.10% <ind
deals
speci<ic
to
their
geographic
area.
The
company
makes
money
through
advertising
on
the
site.
22. Security
Sta0s0cs
Threats
Next,
we’ll
breakdown
the
various
threats
that
we
see
on
a
daily
basis.
These
results
are
based
on
actual
end
user
traf<ic
and
therefore
re<lect
popular
and
active
malicious
sites
as
opposed
to
sites
that
may
exist
but
not
be
visited.
Malware
By
IP
Address
Worms,
viruses,
Trojans
and
Top 10 Malware IP Addresses other
forms
of
malware
can
be
found
just
about
everywhere
on
the
web
today.
However
0% 10.00%20.00% 30.00% 40.00% malicious
content
is
not
necessarily
hosted
at
sites
that
38.99.186.14 38.63% are
themselves
malicious.
More
208.71.120.24 25.68% and
more,
we’re
seeing
otherwise
208.71.121.24 13.41% legitimate
sites
hosting
malware
124.153.77.48 5.52% without
them
being
aware
of
it.
217.23.7.7 2.73% This
is
an
increasing
concern
64.14.29.50 1.32%
given
the
trend
toward
216.86.150.237 1.01%
208.76.70.56 1.00% permitting
user
supplied
content
74.125.19.83 0.91% to
be
shared.
Unfortunately,
many
74.125.19.18 0.88% sites
are
doing
little
to
ensure
that
the
hosted
content
is
not
malicious
before
it
is
stored
for
others
to
access.
Malware
by
Country
Sites
hosted
in
the
United
States
overwhelmingly
hosted
the
majority
of
Top Countries Serving Malware
malware
and
for
this
reason
we
have
broken
them
out
separately.
80.32%
of
malware
seen
during
Q4
2009
originated
from
US
based
servers.
This
should
not,
however,
be
interpreted
as
US-‐based
Other
traf<ic
being
particularly
risky,
rather
it’s
20%
more
of
a
re<lection
of
the
fact
that
the
majority
of
traf<ic
inspected
was
destined
for
served
located
in
the
US.
This
can
be
seen
in
the
Geography
section
of
this
paper.
United States
80%
23. Top 10 Countries Serving Malware (US Excluded)
5% 3%
5%
25%
6%
6%
6%
11%
20%
14%
Netherlands India Germany China Cyprus
Russian Federation United Kingdom Canada Korea, Republic of France
Phishing
The
top
phishing
site
blocked
Top 10 Phishing IP Addresses was
coolxd.com
-‐
this
accounted
for
roughly
70%
of
the
quarter's
phishing
80.00% numbers.
The
site
itself,
was
0% 20.00% 40.00% 60.00%
recently
removed
from
the
208.43.210.147 70.83% Internet.
This
scam
site
is
219.232.243.74 7.21% effectively
the
same
as
the
219.232.243.65 1.91%
heyxd.com,
omgxd.com,
and
219.232.243.91 1.64%
219.232.243.75 1.47% imnotez.com
sites.
These
sites
219.232.243.15 0.84% steal
your
email/instant
219.232.243.90 0.61% messenger
credentials
219.232.241.178 0.57%
219.232.243.87 0.55% (username/password),
and
174.143.29.2 0.50% then
noti<ies
the
people
on
your
contact
list
to
check
out
the
site.
Advertisements,
fraud,
and/or
malware
are
then
spammed
to
and
through
victim
accounts.
The
sites
advertised
the
ability
to
provide
a
service
which
enables
users
to
IM
pictures
and
other
content
to
share
directly
to
a
forum.
24. Malicious
Domains
Three
domains
accounted
for
Top 10 Malicious Domains roughly
55%
of
the
malicious
URLs
transactions:
0% 10.00% 20.00% 30.00% •adfarm.mediaplex.com
•link4you.3322.org
adfarm.mediaplex.com 24.01% •www.tns-‐counter.ru
link4you.3322.org 17.41%
www.tns-counter.ru 13.33% adfarm.mediaplex.com,
has
been
www.winifixer.com 4.06% reported
to
be
involved
in
spam,
www.freegaming.de 2.96% adware/spyware,
phishing/
dt.tongji.linezing.com 2.25%
img.12chan.org 1.72% scams,
and
browser
exploits5.
nspmotion.com 1.14% The
Mediaplex
website
details
acs86.com 0.69% how
the
company
"provides
stork27.dropbox.com 0.66%
cross-‐channel
advertising
technology
solutions
and
services
that
enable
marketers
to
achieve
one-‐
Top Malicious Domains By Country United States to-‐one
Canada messaging,
Russian Federation greater
China ef<iciencies
6% Germany and
a
3% Netherlands
5% competitive
Other
edge
through
6% insightful
reporting
and
analytics” 6.
3322.org
is
a
DynDNS
provided
domain
that
has
44% served
malware
and
exploit
content
for
17% some
time7.
tns-‐counter.ru
is
also
known
for
serving
adware/spyware/
malware 8.
The
majority
of
malicious
sites
are
19% hosted
in
the
US,
with
a
full
63%
of
sites
residing
in
North
America.
This
is
however
more
a
re<lection
of
where
content
in
general
resides
as
opposed
to
North
American
content
representing
a
higher
overall
risk.
5 http://www.siteadvisor.com/sites/mediaplex.com/summary/
6 http://www.mediaplex.com/about.shtml
7 http://isc.sans.org/diary.html?storyid=5710
8 http://www.siteadvisor.com/sites/tns-‐counter.ru/summary/
25. Anonymizers
Top 10 Anonymizers
Over
30%
of
our
anonymizer
traf<ic
was
to
kproxy.com.
One
of
the
features
that
Zscaler
0% 10.00% 20.00% 30.00%
40.00% provides
to
customers,
is
policy
based
blocking
based
kproxy.com 30.51% on
page
categorization.
So
proxyswitcher.com 20.17% customers
have
the
ability
freeproxylist.org 8.03% to
block
users
from
archive.org 5.36% browsing
to/through
proxy
freeproxy.ru 3.12% sites.
kproxy.com
provides
privacy-world.com 1.83%
a
simple
interface,
not
helllabs.net 1.76%
unlike
Google’s,
to
browse
66.232.118.93 1.66%
proxybridge.com 1.57% through,
with
SSL
ktunnel.com 1.39% encryption
as
an
additional
capability.
Of
the
popular
sites
that
kproxy
advertises
that
it
works
with
are
MySpace,
Facebook,
Gmail,
YouTube,
and
MegaUpload
-‐
all
sites,
that
may
be
blocked
by
company
policies
as
they
are
not
work
related.
In
other
words,
users
are
generally
using
these
services
to
get
around
corporate
policies
and
URL
<iltering
rules
as
opposed
to
using
them
to
cloak
their
IP
address
from
an
external
source.
Botnets
Generally
speaking,
by
Top 10 Botnets IPs/Domains correlating
the
malicious
artifact
to
the
top
botnet
hosts,
enables
us
to
0% 12.50% 25.00% 37.50% describe
which
malware
50.00%
campaigns
were
the
most
91.212.65.13 44.11% successful.
The
breakdown
66.235.175.5 15.67% is
as
follows,
and
should
77.221.133.227 9.80% not
be
of
surprise
to
the
88.80.7.152 8.39% security
community
for
88.80.5.3 7.05% HTTP
based
botnets:
77.221.133.189 5.74%
208.99.193.130 3.18% 1.Zeus/Zbot
variants
meu89.net 1.91% 2.Fake
Anti-‐Virus
variants
194.68.45.50 1.63%
3.Banker
Trojan
variants.
69.61.21.115 0.28%
The
top
command
and
control
IP
address
seen,
91.212.65.13,
is
based
out
of
the
Ukraine
and
serviced
both
Zeus
and
FakeAV
infections.
The
whois
information
for
this
host
shows
it
26. belonging
to
the
Eurohost/UralComp
IP
blocks.
FireEye
has
a
good
write-‐up
of
this
"bad
actor"
from
almost
a
year
ago9
and
malwaredomainlist,
an
archive
of
malicious
web
domains
has
plenty
of
content
for
these
IP
blocks10 .
While
Ukraine
and
Russian
IPs
make
up
a
large
number
of
the
botnet
C&C
servers,
it
was
a
little
surprising
to
see
that
Sweden
had
a
number
of
C&Cs
in
the
top
25:
• 88.80.7.152
• 88.80.5.3
• 88.80.5.172
• 80.88.108.18
Further
analysis
of
some
of
the
Swedish
hosts
shows
them
belonging
to
PRQ
(http://
www.prq.se)
a
co-‐location
and
hosting
provider.
Their
homepage
states
that
they
are
known
for
their
"boundless
commitment
to
free
speech"
and
"discrete
customer
relations
policy".
They
also
have
an
icon
on
their
website
that
states,
"data
retention
is
no
solution",
suggesting
minimal/no
logging.
In
other
words,
this
hosting
service
would
be
ideal
for
hosting
malicious
sites
and
remaining
protected
from
investigations
/
takedowns.
Traffic
Last,
but
not
least,
we’ll
investigate
traf<ic
patterns
which
would
not
be
expected
without
the
presence
of
errors
of
malicious
content.
Bogon
IP
space
Top 10 Bogon IP Addresses
Bogon
(aka
darknet)
IP
addresses
represent
non-‐routable
IP
blocks,
either
because
they
are
reserved
0% 2.00% 4.00% 6.00% 8.00% (for
example
RFC1918)
or
they
are
unallocated.
Occasionally,
we
1.1.1.1 7.74%
127.0.0.0 6.60% see
web
requests
to
bogon
IPs
-‐
198.18.1.18 5.35% usually
this
is
to
RFC1918
1.2.3.4 4.34%
0.0.0.2 2.99% address
(internal
IP
addresses),
0.0.0.5 2.62%
198.18.1.15 2.60% and
the
requests
have
leaked
into
0.0.0.8 2.57%
the
cloud
because
of
a
routing
198.18.1.2 2.20%
0.0.0.1 2.20% miscon<iguration
on
the
9 http://blog.fireeye.com/research/2009/03/bad-actors-part-6-eurohost-llc.html
10 http://www.malwaredomainlist.com/forums/index.php?board=23.0
27. Top 10 Bogon IP Address Blocks customer's
network.
However,
there
are
also,
several
0%
occurrences
of
web
requests
to
1.75% 3.50% 5.25% 7.00% non-‐RFC1918
bogons.
This
traf<ic
127.0.0.0/24 6.60%
is
of
interest
as
it
represents
1.2.3.0/24 4.34% either
human
error
or
an
infected
0.0.0.0/24 2.62%
50.0.0.0/24 2.04% machine
that
is
randomly
169.254.1.0/24 1.11% scanning
IP
address
blocks
169.254.178.0/24 0.56%
169.254.200.0/24 0.53% looking
for
vulnerable
hosts.
169.254.8.0/24 0.37%
198.18.189.0/24 0.37%
0.1.0.0/24 0.34% Some
of
the
bogon
traf<ic
can
be
explained
as
follows:
• The
1.1.1.1
and
127.0.0.0/8
and
1.2.3.0/24
subnets
are
likely
some
sort
of
test
scripts
that
folks
are
running.
• The
169.254.0.0/16
addresses
are
part
of
the
Automatic
Private
Addressing
(APIPA)
of
hosts
when
DHCP
fails.
The
50.0.0.0/24
IP
block
is
interesting,
though
yet
unexplained.
Googling
for
it
shows
that
it
is
an
IANA
reserved
block,
and
it
shows
up
in
some
OSPF
routing
templates.
It's
possible
that
this
block
is
a
commonly
used
reserve
block
in
some
intra-‐organization
routing.
However,
the
only
IP
address
that
was
hit
in
this
block
was
50.0.0.82,
which
is
interesting.
It
is
possible
that
there
was
a
mistake
in
a
script
or
routing
statement.
28. Conclusion
Understanding
web
traf<ic
is
critical
for
enterprises
seeking
to
manage
and
secure
their
networks.
Traf<ic
is
converging
on
the
web
at
a
rapid
pace.
A
decade
ago
we
leveraged
<irewalls
to
manage
traf<ic
on
networks
and
determine
which
users
could
access
which
resources.
Today,
traf<ic
is
not
neatly
segregated
into
buckets
based
on
protocols.
Regardless
of
the
traf<ic
that
we’re
dealing
with,
be
it
email,
instant
messaging,
P2P,
streaming
media,
etc.,
it
has
the
ability
to
be
tunneled
through
HTTP/HTTPS.
At
the
same
time,
attackers
have
shifted
their
focus
to
target
end
users.
Some
attackers
take
a
shotgun
approach
by
striking
far
and
wide
without
concern
for
who
the
ultimate
victims
may
be.
This
is
the
approach
leveraged
by
those
who
build
botnets.
They
seek
infected
machines
and
they
do
not
discriminate.
On
the
other
side
of
the
coin,
Advanced
Persistent
Threats11
are
emerging
on
the
radars
of
CISOs
as
the
media
highlights
the
sophistication
of
attacks
on
corporations,
such
as
those
highlighted
in
the
Operation
Aurora
attacks
which
targeted
Google,
Adobe
and
others.
Regardless
of
the
approach,
the
majority
of
such
attacks
now
leverage
the
web
as
the
transport
medium.
Understanding
the
behaviors
of
end
users,
content
providers
and
attackers
on
the
web
can
help
us
to
better
manage
and
secure
networks.
We
hope
that
you
enjoyed
this,
our
<irst
quarterly
State
of
the
Web
report.
11 http://www.zscaler.com/apt.html
29. Appendix
TLD
Breakdown
Monthly
Summary
–
Top
TLDs
Visited
Note: Pink shows larger fluctuations than yellow, and green shows no fluctuation
Monthly Summary – Top TLDs by Transactions
Popularity October 2009 November 2009 December 2009
1 COM COM COM
2 NET NET NET
3 ORG ORG ORG
4 AU AU AU
5 IN UK TV
6 TV IN ZA
7 UK TV IN
8 FR DE UK
9 PE PE DE
10 GOV FR GOV
11 EDU ZA EDU
12 DE GOV RU
13 RU NU FR
14 US EDU US
15 NU RU PE
16 IT IT CN
17 AR US IT
18 MX MX CA
19 CA CN SG
20 INFO AR MX
21 CO CA INFO
22 BR IE NU
23 CN INFO AR
24 ES TH PL
25 FM ES FM