Shadowserver - ASN & Netblock Alerting & Reporting Service

The Shadowserver Foundation is pleased to announce the formal roll out of our ASN/netblock alerting and reporting service.

The Shadowserver Foundation is an all volunteer, non-profit, vendor-neutral organization that gathers, tracks, and reports on malicious software, botnet activity, and electronic fraud. It is the mission of the Shadowserver Foundation to improve the security of the Internet by raising awareness of the presence of compromised servers, malicious attackers, and the spread of malicious software.

This reporting service is provided free-of-charge and is designed for ISPs, enterprises, hosting providers, and other organizations that directly own or control network space. It allows them to receive customized reports detailing detected malicious activity to assist in their detection and mitigation program. Shadowserver has been providing this service to many subscribers for over two years, and currently generate over 12,000 reports nightly. Since the response to this service has been extremely positive from our consumer base, we now wish to make it more widely and openly available.

Report Types

The reporting service monitors and alerts the following activity:

  • Detected Botnet Command and Control servers
  • Infected systems (drones)
  • DDoS attacks (source and victim)
  • Scans
  • Clickfraud
  • Compromised hosts
  • Compromised websites
  • Proxies
  • Spam relays
  • Open DNS Resolvers
  • Malicious software droppers and other related information.

The Shadowserver Foundation filters data received from its worldwide sensor and monitoring networks and employs an analysis engine to classify the attacks. It then sorts this data according to ASN, netblock, and even Geolocation. Detected malicious activity on a subscriber's network is flagged accordingly and is included in daily summation of reports detailing the previous 24 hours of activity. Reports are only sent upon detection of malicious activity. These customized reports are made freely available to the responsible network operators as a subscription service.

As we add in new data sources, or different methods of gathering data, this will be added either to existing reports, or new ones will be created as needed for new data types.

How to request service

To request a free subscription to The Shadowserver Foundation's ASN/netblock reporting service, send an email from your organization's email account to request_report *<at>*

Please provide the following information:

  • Full Name (and we need to have a real person, not just an organizational contact)
  • Organization
  • Networks of responsibility by ASN or CIDR (ASN is preferred, but only if you control the complete ASN) - Do not list your ISP's AS or networks, list only your own network space that you directly control.
  • Email address(es) of the report recipients
  • Phone number of contact - please include country prefix
  • Contact information for verification - Examples of this would be alternative contact information, other responsible groups in your organization, network validation links, etc. If this is someone listed in the whois for the network space you are requesting reports for, that will help.

Note that you should only request reports for the networks you are directly responsible for or own. Do not include the addresses or AS of your ISP, but those you are actually using and control.


National CERT's

Wherever possible we also like to work with the National level CERT of each country. For the those CERT's we will provide country level reports of any data we collect. The request is the same as above but for a specific geographical area or TLD.

Domain names

We are also able to provide reports based on domain names as opposed to ASN/CIDR/Country level, in the cases where one may have ownership of domains but not of the particular IP. Examples of reports that can be filtered on domain are Compromised Website reports and Accessible RDP reports. TLD-level reports are available for National CERTs.

Report Frequency

We run the reports starting every morning for the previous 24-hours (UTC time-based). By default our systems will check for your networks for each of the data areas every time. It is entirely possible that if you have a small address space, or a very clean one, you may not ever see a report from us. Or see one so infrequently that you may believe that we have forgotten you or removed your reports. This is not the case. We only send out reports based on the data we collect.

The amount of data we collect increases each and every day and we will continue to test all of that data for your requested networks. If you suspect anything is wrong, or that we might have done something incorrect, please let us know.

How Long Does It Take to Create the Reports (AKA When will you respond to me)?

Being an all volunteer group everything we do is a best effort. We will respond as rapidly as possible and create the reports as swiftly as we can. Normally the queue for report creation is cleared out at least once a month many times sooner. There is also the time to validate the listed networks and verify contacts. Sometimes we might call what you listed, but most times we do many searches verifying the information that is possible. When we have a question you will get an email from us requested updates.

How Can I Make Sure I Get the Reports Set Up As Soon As Possible?

Have a look at the following pointers:

  • Make sure all the information we need (as stated above) is included.
  • Be very clear on what you request, network wise. If you request a report for an ASN, you do not need to tell us what CIDR ranges are covered by that ASN. We can set up a report both for an ASN and for a CIDR range even if they are overlapping - this would however mean that you would be getting reports for the overlapping space twice. We often do get requests for reports for both ASNs and CIDRs (not all network space might be routed by the organization requesting reports, for example), and they do overlap at times. If you mean to receive reports for both a specific ASN (or set of ASNs) and for a specific CIDR range (or set of CIDR ranges) please be specific of this. Do not leave it up to us to choose between your ASN or CIDR range; we will set up the reports regardless. That said, we do prefer ASN if it is all the same to you.
  • Make sure that your address (or an address that can confirm your request) is listed in the whois records for the ASN or CIDR. While we understand that this might not always be possible, this will significantly speed up the process.
  • If you are requesting an update to your reports - either in network space, contact information or recipient email addresses - please tell us that you are requesting to update your feed, and what specifically you wish to update / change - preferably also how the full feed would look. (for example: 'Good morning, I am XX of org YYY. We recently acquired a new ASN, AS31337. Please add this to our feed, so that the total feed covers the network space of AS1337, AS1338 and AS31337.') Also, please do send these requests to report_admin<AT>
  • We did ask for a country prefix on the phone numbers. That goes for those of you in North America as well. (Yes, most organizations requesting reports that are outside the US and Canada manages to include the country prefix. But not all)

I Received a False Positive or I Fixed the Problem and You Reported It Again

While most of our data is as fresh as 24-hours, occasionally mistakes are made. We currently process approximately three to four billion events each day (as of Wednesday, 21 December 2011). Our systems are not bullet-proof, nor is our code without flaw. So, when you think there is an issue feel free to email us at botnets<AT> with your issue and we will take a look and try to get it fixed.

Report E-Mail Lists

When we build the reports we will create a specific mailing list for your organization. While we maintain control of that list, you may request additions or subtractions to the list at any time.

Report Examples

You can find examples of the different available reports here with all the fields for each report and greater detail on each report here.