Good versus evil. It’s a battle as old as time. If you’ve ever spent more than five minutes on social media, it’s no secret that the internet has long been the home field for both sides of this existential rivalry.
But for every web hero out there, it feels like there are often ten villains, bad actors making life on the internet hard for ordinary people.
That familiar cadence of a pointed remark met with a deluge of trolls? That’s the internet these days.
However, there is another manifestation of this age-old battle that’s a lot less public and significantly more consequential than the trivial banter on Twitter, and that’s internet hosting.
The backbone of the internet itself is made up of good players and bad players, and we wanted to take a look at our threat intelligence data and put some names to the numbers when it comes to identifying the baddest (err, riskiest) hosts on the internet.
What are ASNs?
Internet service providers and hosting companies have under their control various IP addresses that are accessible on a network and collectively make up what we call the internet.
When these addresses are governed by a singular routing policy, they make up what is known as an “autonomous system.”
In order for these autonomous systems to communicate with each other and route traffic, they need to obtain an “autonomous system number” (ASN) from IANA, the Internet Assigned Number Authority which administers IP addresses and ASNs across the global internet.
So, what does a number have to do with identifying risky hosts?
The answer is attribution. You see, to get an ASN to operate your networks at internet scale, your organization needs to apply for it through one of the Regional Internet Registries.
In practice, this identifies the legitimate “owner” of an IP address as the organization to which the ASN was assigned.
When internet traffic is anonymous by design, it’s the registered ASN owner that’s responsible for the content on their hosts.
Determining the Riskiest ASNs
With that primer on internet functionality behind us, let’s take a look at some data.
As a leading provider of IP threat intelligence, alphaMountain is in a unique position to offer visibility into not only risky hosts on the internet, but also the organizations behind them.
Methodology
We looked at 881,449,967 IP addresses in our IP threat database. These IP addresses are grouped into 78,423 ASNs.
Since risk scores of IP addresses change over time as hosts come and go, we looked back over a year of data from May 21, 2024.
We typically advise customers of our threat feeds to use an IP threat rating of 7.0 and greater as the threshold for what they want to block in their secure gateways and firewalls, so that’s the threshold we’ve used here.
Top 10 Riskiest ASNs by IP Addresses
| ASN | Risky IPs | Average Threat Score | Organization |
| AS13335 | 14,053,996 | 8.63 | Cloudflare, Inc. |
| AS15169 | 9,610,484 | 9.08 | Google LLC |
| AS16509 | 7,338,339 | 8.32 | Amazon.com, Inc. |
| AS47583 | 4,862,468 | 8.69 | Hostinger International Limited |
| AS14618 | 2,361,604 | 8.84 | Amazon.com, Inc. |
| AS63949 | 1,788,023 | 8.70 | Akamai Connected Cloud |
| AS27647 | 1,275,758 | 8.86 | Weebly, Inc. |
| AS396982 | 1,184,920 | 8.87 | Google LLC |
| AS204915 | 1,021,623 | 9.07 | Hostinger International Limited |
| AS139021 | 646,675 | 8.98 | West263 International Limited |
For those of you keeping score at home, that’s 44,143,890 high-risk IP addresses in just the top ten ASNs by volume. For reference, of the nearly one billion IP addresses in our database, 58,877,667 were home to risky hosts in the prior year meaning 75% of risky IP addresses were concentrated in just ten ASNs worldwide.
A closer look reveals that these ten ASNs are controlled by just seven companies with Cloudflare’s risk footprint in this cohort spreading some 35% larger than Google’s in the number two spot.
Success Leads to Abuse
Based on these numbers, it appears the large hosting providers have both succeeded and failed.
On the one hand, their promises of security, speed and scale have succeeded in providing low-effort access to powerful hosting platforms.
On the other hand, these very value propositions have enabled a large number of bad actors as well. Again, that’s the internet these days.
The fact of the matter is, we have all come to accept some levels of risk in the digital age, and we can assume that these large ASNs (some of which are operated by household names) all have the internet’s best interests at heart right?
Top 10 Riskiest ASNs by Percentage of Hosts
Well, the data actually tells a slightly different story.
When we include the total number of IP addresses in these ASNs, we can calculate the percentage of risky IPs in each one, and three of these organizations stand out for all the wrong reasons.
| ASN | Total IPs | Risky IPs | % Risky | Organization |
| AS13335 | 138,549,827 | 14,053,996 | 10% | Cloudflare, Inc. |
| AS15169 | 81,560,774 | 9,610,484 | 12% | Google LLC |
| AS16509 | 229,188,532 | 7,338,339 | 3% | Amazon.com, Inc. |
| AS47583 | 46,512,952 | 4,862,468 | 10% | Hostinger International Limited |
| AS14618 | 28,571,909 | 2,361,604 | 8% | Amazon.com, Inc. |
| AS63949 | 11,329,134 | 1,788,023 | 16% | Akamai Connected Cloud |
| AS27647 | 2,915,124 | 1,275,758 | 44% | Weebly, Inc. |
| AS396982 | 29,480,223 | 1,184,920 | 4% | Google LLC |
| AS204915 | 1,219,411 | 1,021,623 | 84% | Hostinger International Limited |
| AS139021 | 1,379,125 | 646,675 | 47% | West263 International Limited |
Here we see that of the seven organizations claiming the largest numbers of risky IPs on the internet, three of them have ASNs with over 40% of their IP addresses deemed high risk.
Let’s take a quick look at these operators.
Riskiest Hosting Providers
Hostinger International Limited is a Lithuanian hosting provider that has seen its share of controversy over the years. In 2022, our partners at Cyware released a research report detailing the exploitation of certain Hostinger features by phishing campaign operators in India. Interestingly, Hostinger shows up twice in our list of riskiest ASNs, with 84% of AS204915’s IP addresses being risky and AS47583’s showing a much more reasonable 10% with a high-risk rating. In keeping with our theme, it’s almost as if they have both “good” and “evil” ASNs.
With 47% of its hosts categorized as “risky,” West263 International Limited is a domain registrar (west.xyz) and hosting provider (west.cn) based in Hong Kong. The company claims to host over 500,000 websites and it’s worth noting that their domain registration portal promotes the use of the .top TLD which has been put on notice for failing to prevent the use of its domains as phishing hosts.
Lastly, of these three, Weebly, Inc. is probably the most well-known hosting operator outside of the technology bubble. They made their name as one of the early “drag and drop” website platforms, enabling businesses and individuals to launch a customized website with no technical skills required. In 2018 the company was acquired by Square (the payments company now known as Block Inc.), and this close connection between payment processing and risky hosts could easily raise concerns when it comes to this operator’s trustworthiness in the market.
Takeaways
The successes of the world’s largest hosting providers are also their failures. Afterall, it’s impossible to maintain a squeaky clean network at their scale. However, there should be some consideration given to the fact that the incentives are not aligned for the hosting providers to be taking action on risky or malicious content on their platforms; they make money from hosting websites.
By sheer size, Cloudflare is an unequivocal serial offender here, but it’s largely due to their freemium business model which offers free hosting and low-code autoscaling that cybercriminals just can’t resist. In fact, research shows that a recent shutdown of the .tk and related top-level domains offered by Freenom, a free domain registrar, resulted in Cloudflare losing a staggering 22% of hosts on its networks.
Amazon deserves a special shout out as well with both of their largest ASNs coming in under 10% risky, and one of which also boasts the lowest average risk score of 8.32. It’s worth recalling that all of these percentages and risk score averages were taken from hosts observed as risky over a one year period.
IP Risk Data Feeds
If this type of deep dive into threat intelligence gets you pumped up, you’re going to love alphaMountain’s domain and IP threat feeds. With hourly updates for over 2 billion domains and IPs, you’ll know the categories and threat ratings of nearly every host on the internet. Use categories to block access to certain types of sites such as “Suspicious”, “Malicious”, “Phishing”, or “Scams”. Use risk scores to block sites of any kind above a certain threat threshold (we recommend >7). Request your free trial API key and let us know what you think.