Home / Blogs

‘Notorious Hosting Providers’: An Overview of the Highest-Threat Hosts From IP-address Blacklist Analysis

By David Barnett Brand Protection Strategist at Stobbs

One major element of many brand-protection programmes is the use of an algorithm to sort the findings identified through monitoring, according to their relevance or level of potential threat. This prioritisation process offers a number of benefits, including the identification of priority targets for further analysis, content tracking, or enforcement1, 2.

In many cases, prioritisation or ‘threat-scoring’ metrics of this nature will make use of a number of characteristics of the identified websites in question, each of which independently can provide insights of the potential level of threat. These insights are usually based on research into the previous frequency of association of the relevant characteristics with content found to be fraudulent, malicious or infringing. Familiar examples of such characteristics might include the TLD (top-level domain, or domain extension)—with some TLDs found to be disproportionately popular with infringers, based on factors such as domain cost and registration requirements, or the nature of any IP protection programmes offered by the registries3—or the domain registrar (with infringement rates typically found to be dependent on factors such as compliance to enforcement requests)—as per (for example) the registrar ‘bad reputation’ league table published by Spamhaus4.

In this article, I consider the hosting characteristics of websites as an indicator of potential threat level, following on from a previous study5 looking at the set of (IPv4) IP addresses blacklisted in response to identified use for specific infringing purposes (such as spamming and malware distribution), in a database provided by Myip.ms6 (as of January 2025). This previous study explored the creation of a threat-scoring algorithm based on (among other factors) the proximity of the host IP address of a website of interest to other blacklisted IP addresses. Specifically, an IP address was deemed to be of higher risk if it sat in a netblock together with a higher number of blacklisted addresses.

A by-product of this previous analysis was the construction of a table showing those hosting providers which were most frequently found to be associated with blacklisted IP addresses (a list topped by Amazon Technologies Inc. (14,030 blacklisted addresses, out of the full dataset of 169,023), ChinaNet Jiangsu Province Network (7,285), and Cloudflare (3,317)). However, this list does not provide the full picture, as it may simply be the case that the hosting providers associated with the highest number of blacklisted addresses are just the most popular hosting providers generally (in which case, the numbers of blacklisted addresses would not be disproportionate, implying that the hosting provider’s reputation should not be considered to be adversely affected). In this follow-up, therefore, I consider the ‘rates’ of blacklisted IP addresses per hosting provider, by expressing the raw numbers as proportions of the total numbers of IP addresses (actually, an estimate, based on a sampling exercise) with which the providers are associated.

Methodology and analysis

In order to obtain an estimate of the total extent of online presence of each hosting provider, it would ideally be necessary to carry out a host look-up for every IP address in IP-space (from 0.0.0.0 to 255.255.255.255—i.e. 2564 (4.3 billion) in total). However, in order to limit the number of look-ups required, a sampling approach was instead used, in which the analysis considered only four equally-spaced IP addresses within each second-level netblock (i.e. 0.0.0.0, 0.0.64.0, 0.0.128.0, 0.0.192.0, 0.1.0.0, 0.1.64.0, etc.). The idea is that this approach should provide a representative sampling of IP-space, and furthermore is reasonable (to some extent) by virtue of the fact that many hosting providers (particularly the major players) will operate large, continuous blocks of IP addresses (such that the sampling exercise will provide a reasonable overview of the activity breakdown).

By way of additional notes:

  • Of the 262,144 IP addresses considered, the automated look-ups were unsuccessful in 97,114 cases (37% of the total), comprising a mix of cases where the IP addresses themselves are invalid, or other instances where the look-up was found to time-out or fail. Note that this issue may skew the statistics, if certain regions or hosting providers tend to be disproportionately associated with failed look-ups.
  • In the latter stage of analysis, the name of the hosting provider (as given by the look-up) was—as in the previous study—‘cleaned’ by truncating at the first instance of a comma (so that, for example, ‘China Mobile Communications Corporation, Mobile Communications Network Operator in China, Internet Service Provider in China’ is converted to ‘China Mobile Communications Corporation’), which will in many cases produce a more reasonable aggregated dataset, but will also generate some ‘false positives’ (such as hosting providers listed just as (say) ‘Headquarters’ or ‘ZA’), or instances where distinct entities are erroneously aggregated together, such that the final datasets may require some ‘sanity-checking’ and further cleansing. This approach may also generate cases where distinct instances of the ‘same’ entity are treated separately (e.g. ‘Amazon.com’ and ‘Amazon Technologies Inc.’).

From the initial stage of analysis, the top hosting providers generally appearing most commonly in the sampled dataset (i.e. by total numbers) are as shown in Table 1.

Table 1:Top ten hosting providers (‘uncleaned’ names) associated with the sampled set of addresses across IP-space
Hosting providerNo. IP addresses
DoD Network Information Center13,551
AT&T Enterprises, LLC6,384
Verizon Business5,563
Amazon.com, Inc.5,197
Amazon Technologies Inc.4,714
Comcast Cable Communications, LLC4,279
Headquarters, USAISC3,334
Microsoft Corporation2,802
Korea Telecom2,691
Charter Communications Inc2,257

For the main stage of analysis, a ‘bad reputation’ or ‘threat’ score was calculated for each of the hosting providers, by dividing the total number of blacklisted IP addresses under their control (from the previous study) by the total number of (sampled) IP addresses under their control (according to the approach outlined in this study), to give an ‘blacklist rate’ score. From this approach, the top ten highest-threat hosting providers are given in Table 2 (with the full list of all hosting providers assigned a blacklist rate score of 10.00 or greater shown in Appendix A).

Table 2:Top ten ‘highest threat’ hosting providers, by ‘blacklist rate’ score
Hosting providerBlacklist rate
Huawei HongKong Clouds512.67
Ahrefs Pte Ltd462.00
Yandex enterprise network382.00
Huawei-Cloud-SG280.67
Bangladesh Telegraph & Telephone Board280.00
Netprotect270.00
Strong Technology189.00
geofeed (GitHub:Simonadascalu/Freedomtech-Geofeed)116.00
LogicWeb Inc.112.00
Huawei Cloud Singapore POP95.00

These results exhibit some parallels with other similar analyses with, for example, three of the top ten also appearing in Scamalytics’ list of top ‘high-risk ISPs’ which achieve risk scores of greater than 52 (out of 100)7 (namely: geofeed, score = 62; Strong Technology, score = 60; LogicWeb Inc., score = 56).

It is also noteworthy that some other fairly well-known providers do achieve relatively high blacklist rate scores in this new analysis, including Namecheap (rate = 52.00), Cloudflare (rate = 30.43) and OVH SAS (rate = 20.00). Furthermore, of the top 50 most commonly-appearing (i.e. most popular) hosting providers overall amongst the full sampled set of IP addresses, two (ChinaNet Jiangsu Province Network, rate = 10.95; Amazon Technologies Inc., rate = 2.98) have blacklist rate scores greater than 1.

Conclusion

The analysis reveals the identities of those hosting providers which are disproportionately most frequently associated with blacklisted IP addresses—and, by extension, those which may be most popular with bad actors for hosting infringing or malicious content. Accordingly, the determination that any of these highest-threat hosting providers is associated with any arbitrary identified website therefore provides some indication that—all other factors being equal—the website might be more likely to pose a threat, and thereby be worthy of closer attention.

On this basis, the ‘blacklist rate’ scores for the hosting providers (or some variant of it) could serve as a useful component of an overall threat score for ranking websites. This concept may be useful in the prioritisation of findings identified through brand-monitoring services.

Going forward, more robust future augmentations to this approach could utilise a more intensive analysis (i.e. a less ‘coarse’ sampling) of the full set addresses in IP address space, additional blacklist or threat information, or could be applied to alternative characteristics, such as geographical hosting location (i.e. countries or cities, using geolocation data).

Appendix A: Highest-threat hosting providers by ‘blacklist rate’ score

Hosting providerNo. blacklisted IP addressesNo. IP addresses in sample of totalBlacklist rate
Huawei HongKong Clouds1,5383512.67
Ahrefs Pte Ltd4621462.00
Yandex enterprise network3821382.00
Huawei-Cloud-SG2,5269280.67
Bangladesh Telegraph & Telephone Board2801280.00
Netprotect5402270.00
Strong Technology5673189.00
geofeed (URL)1161116.00
LogicWeb Inc.1121112.00
Huawei Cloud Singapore POP95195.00
Braveway LLC187293.50
Telekom Srbija217372.33
TOT Mobile Co LTD245461.25
FranTech Solutions349658.17
1222 Dial-up Free Internet Service55155.00
Network Engineering (Mobile) - Reginal APN IP Lagos53153.00
Namecheap156352.00
Huawei Cloud SG POP47147.00
PT iForte Global Internet45145.00
Beijing Xiaoju Technology Co.355844.38
EZECOM CO.171442.75
BigTip80240.00
Biznet Networks271738.71
Cogetel Ltd73236.50
Castle Global Inc.36136.00
Performive LLC232733.14
SINET65232.50
Single Digits32132.00
HostPapa2,1576831.72
CHINANET-ZJ Lishui node network6011931.63
Ishan Netsol Pvt Ltd31131.00
MEGA-II IDC31131.00
Cloudflare3,31710930.43
Cyber Internet Services Pakistan60230.00
Multinet Pakistan Pvt. Ltd.30130.00
Shinjiru Technology Sdn Bhd30130.00
Amanah Tech Inc.29129.00
VIETTEL (CAMBODIA) PTE29129.00
ASSIGNED-FOR-IMS-IMPLEMENTATION28128.00
B2 Net Solutions Inc.2781027.80
Contabo Inc.55227.50
OCULUS NETWORKS INC81327.00
Interserver54227.00
Emerald Onion27127.00
CHINANET-ZJ Quzhou node network4801826.67
Latitude.sh26126.00
Secure Internet LLC175725.00
ENTERPRISE25125.00
MekongNet49224.50
PT Jala Lintas Media24124.00
Contabo GmbH94423.50
BDCOM Online Limited23123.00
velia.net23123.00
DhakaCom Limited45222.50
Web2Objects LLC197921.89
Palestine Telecommunications Company (PALTEL)65321.67
Telenor Pakistan (Pvt) Ltd21121.00
GTPL Broadband Pvt. Ltd.81420.25
OVH SAS40220.00
LayerHost20120.00
Dynamic allocation for Broadband Subscribers39219.50
YOU Telecom India Pvt Ltd155819.38
Contabo Asia Private Limited19119.00
Earth Telecommunication(Pvt.)Ltd.19119.00
Indusind Media And Communication Ltd.19119.00
Mailgun Technologies Inc.19119.00
TekTonic19119.00
CTG Server Ltd.111618.50
PT. Mora Telematika Indonesia37218.50
UNICOM ZheJiang Province Network5763218.00
GRAMEEN CYBERNET18118.00
PT ARTHA TELEKOMINDO18118.00
Trans World Enterprise Services (Private) Limited18118.00
World Phone Internet Services Pvt Ltd18118.00
YISU CLOUD LTD18118.00
USF DSLAM Central69417.25
eSited Solutions1871117.00
J2 Global Ventures34217.00
ZHENGZHOU guangdian COPR34217.00
ACT Hyderabad17117.00
Magnite17117.00
MTNN-OJOTA-REGION-PREFIXES17117.00
Scloud Pte Ltd t/a Scloud Pte Ltd17117.00
ServerPoint.com17117.00
Shiodome Sumitomo Blog 1-9-2 TOKYO17117.00
SwiftMail Communications Limited17117.00
Ucom CJSC17117.00
Ultra Internet Communications LLC17117.00
TOT Public Company Limited4732816.89
Digital Energy Technologies Limited33216.50
PT. Media Antar Nusa33216.50
China Unicom HuNan province network2581616.13
Colocation America Corporation2241416.00
PT Indonesia Comnets Plus48316.00
US Net Incorporated32216.00
Access Telecom (BD) Ltd16116.00
Armour Cloud16116.00
HostRoyale LLC16116.00
N R DATA SERVICE PVT LTD16116.00
Nanping MAN16116.00
PT Mora Telematika Indonesia16116.00
RAHA Ltd16116.00
WIRELESS INDONESIA16116.00
ADSL - DYNAMIC POOL110715.71
Future Tech Distribution47315.67
CMPak Limited46315.33
CHINANET-ZJ Zhongxin node network8735715.32
Intelligence Network60415.00
Fiber Grid Inc15115.00
PT Hutchison 3 Indonesia15115.00
PT. Cemerlang Multimedia15115.00
PT. LINKNET15115.00
Westendstrabe 2815115.00
PT. MNC Kabel Mediacom29214.50
DigitalOcean2,32916414.20
America-NET Ltda.28214.00
Dynamic allocation for LTE customers28214.00
HOSTKEY14114.00
Leaseweb Asia Pacific Pte. Ltd.14114.00
rain1391013.90
Chandigarh122913.56
Static IP Addresses for Internet Services27213.50
Centrilogic53413.25
NEWTREND53413.25
PT. Eka Mas Republik26213.00
Sneaker Server26213.00
Gigantic Infotel Pvt Ltd13113.00
PT Net2Cyber Indonesia13113.00
VIETTEL (CAMBODIA) PTE.63512.60
WebNX75612.50
Sharktech87712.43
BNG_MED1_orange24212.00
Wowrack.com24212.00
InterCloud ltd12112.00
Leaseweb Deutschland GmbH12112.00
Maxis Broadband Sdn.Bhd12112.00
Reserved-for-Enterprise-Internet-WAN12112.00
Sipbound Corporation12112.00
Krypt Technologies2352011.75
PT Telkom Indonesia’s customer.23211.50
10 Fl. 72. CAT TELECOM TOWER Bangrak Bangkok Thailand1371211.42
Alibaba Cloud LLC1,97117311.39
CHINANET FUJIAN NETWORK1361211.33
GMO Internet Group102911.33
UNE EPM TELECOMUNICACIONES S.A.99911.00
LINKdotNET Telecom Limited22211.00
Pakistan Mobile Communications Limited22211.00
CABONNET INTERNET LTDA11111.00
Mammoth Media Pty Ltd11111.00
Myanma Post and Telecommunication11111.00
POOL27 CONTEXT ORANGE BAS411111.00
SONATEL Societe Nationale Des Telecommunications Du Senegal11111.00
Telekom Slovenije d.d.11111.00
VPSONLINE Ltd11111.00
CHINANET jiangsu province network7,28566510.95
SendGrid97910.78
DataWagon LLC21210.50
PT Remala Abadi52510.40
Emeigh Investments LLC61610.17
IONOS Inc.81810.13
FLAT 30120210.00
TYO_VULTR_CUST20210.00
Automattic10110.00
National Telecom Public Company Limited 7 Fl. 72. CAT TELECOM TOWER Bangrak Bangkok Thailand10110.00
Neuviz (PT. Piranti Prestasi Informasi)10110.00
Pacific Connect Private Limited10110.00
PT Jembatan Citra Nusantara10110.00
PT Telkom Satelit Indonesia10110.00
PT. Comtronics Systems10110.00
PT. KINEZ CREATIVE SOLUTIONS10110.00
VIZAG BROADCASTING COMPANY PVT. LTD10110.00
By David Barnett, Brand Protection Strategist at Stobbs

Filed Under

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

New TLDs

Sponsored byRadix

Cybersecurity

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Threat Intelligence

Sponsored byWhoisXML API

DNS

Sponsored byDNIB.com

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC

View All Topics