I was trolling my server logs, as per normal and adding the PITN's to black lists to slow down the rate of spam, DOS, scanning wtc attacks we get each day.

s I did it I came to wonder who we spend most of our time banning - which country(s) should we mistrust?  I know in the past I have blacklisted or dumped connections from countries such as China, Romania, Bulgaria etc when their flood of scanners, crackers, viruses came at us. But really - who can we trust.

I (serendipitously) saw I was getting scanned by Shadowserver.org. Before hitting them with a ban hammer I decided to check out who they were and was pleasantly surprised to discover they are a reputable group of security minded enthusiasts who have worked / been recognized by the likes of Microsoft and some of the major news papers etc.

I also found they have the type of stats i had been looking for.

It seems my prejudices may have been a little bit off (although I did know tons of crud and cruft comes from the USA) but how far off was a little startling.

For your enjoyment and edifcation, I've pasted a chart of the Top 25 countries for Bot Nets
The bar chart shows, Number of open botnets as of today, the number of closed bot nets and obviously the total bot nets present or recognised by country (open plus closed).

What makes really interesting reading on the source data page is the closure rates (BTW NZ had two potnets, both closed so yay us - 100% closure rate).
The UK (45%)and US (59%) have lower closure rates than places like romaina (90%), China (87%),  and UA (60%)
What is also interesting is Russia ( 46% closure) only has 347 bot nets, compared to US (7825), UK (1175), Germany (1902) and China (517)

So what have I learned? USA is more destructive than I thought, DE, UK, USA, NL, FR etc are crap at shutting the bad guys down and I wouldn't want to run a bot net in china, Russia or Libya.

So who are you going to trust / or ban hammer?

Original data found here:  http://www.shadowserver.org/wiki/pmwiki.php/Stats/GeoLocations