Shadowserver 2020 Urgent Need – Background and Evolution

March 16, 2020

Read First: Saving Shadowserver and Securing the Internet — Why You Should Care & How You Can Help

Shadowserver was founded in 2004 by a highly motivated group of security industry volunteers. We set out on a clearly defined public benefit mission of making the Internet more secure, by bringing to light vulnerabilities, malicious activity and emerging threats. Over the past 15 years, despite many challenges, The Shadowserver Foundation has grown from “four guys in a garage” to become the world’s leading source of free daily remediation data – effectively sharing information on a global basis and now serving 107 National CERT/CSIRTs in 136 countries, with over 4,600 network owners and >90% of the Internet (by IPv4 space and ASN).

Shadowserver grew to become the successful, international non-profit organization it is today because it successfully filled an unmet need, helping global victims of cybercrime who were previously being failed at various levels. Today, many organizations rely heavily on our free daily remediation reports for identifying and handling incidents within their networks, particularly those recipients in organizations and countries who do not have large corporate threat intelligence budgets.

Our unique journey has included milestones such as adding daily whole IPv4 Internet scanning on 45 ports and helping to remediate tens of millions of open amplifiers that could otherwise have been used in reflective distributed denial of service (DDoS) attacks since 2014. Our malware repository now exceeds 1.2 billion unique samples and we have surpassed 11.5 petabytes of internally generated threat intelligence. We have reported out over 167 billion IP remediation events and have launched our own quarantine registrar for holding millions of “toxic” malicious DNS domains (The Registrar of Last Resort, or RoLR).

We have also supported top international Law Enforcement and private sector partners in many of the largest and most significant cybercrime disruption operations in history, covering everything from global high impact botnets such as Conficker and Wannacry (Windows), banking trojans like GameOver Zeus and Dridex, and Spambots such as Kelihos and Necurs. We have also tackled other Internet-wide threats such as XCodeGhost (iOS) and Gooligan (Android), Mirai (IoT), VPNFilter (router APT) and targeted threats like Machete (APT), as well as supporting multiple years of the huge anti-Avalanche cybercrime-as-a-service operation against 20 different malware families simultaneously. This has liberated tens of millions of victims from criminal control and reduced financial losses to cybercrime by hundreds of millions of dollars globally, making us one of the world’s go-to trusted operational partners.

In the process, we have had to grow organizationally – moving from an all-volunteer model to employing full time staff in non-profit organizations (NPOs) located in both the US and The Netherlands. We have also had to continually expand our (now extensive) IT infrastructure, which has meant moving data centers a number of times. We now operate 1341 physical servers in 104 racks, totaling 16512 CPU cores and 146.6 TB RAM, from a data center in San Jose, CA, with end-points in over 80 countries.

All of this public benefit activity costs a significant amount of money to keep alive, and one of the questions we are most commonly asked is how do we manage to keep paying for all of this. To date, Shadowserver has depended entirely on donations and sponsorships, usually from a fairly small number of generous sponsors, who understand the benefit to everyone of trying to continually raise the baseline of global Internet security. We are eternally grateful to all of those kind sponsors, as we would not have reached where we are today without them.

From the very beginning, Shadowserver took a strong, principled stance that as an NPO we would never sell victim data. This does not mean that we are anti-commercial sector activities – we definitely believe that there are huge opportunities for innovation, for product development, and to sell cyber security services. Shadowserver does not seek to compete with commercial vendors, or disrupt their business models. But we do fundamentally believe that no-one should have to pay to find out that they have been a victim of cybercrime. We also made a conscious decision not to operate Shadowserver for personal gain or to court publicity through PR (unless asked), and instead to work quietly behind the scenes to support CERTs/CSIRTs, Law Enforcement Agencies and Network Owners.

We have often asked ourselves how The Shadowserver Foundation can continue growing and still successfully deliver on our altruistic mission, while at the same time ensuring that it can be self sustaining with a lasting, impactful legacy. We sometimes receive commercial approaches, but as a NPO with no shares, we cannot be bought or sold. Our global reputation and hard-earned trust can easily be damaged (or lost) by the wrong action. We have always been sensitive to this, and proud about being neutral and transparent in all that we do.

After much thought and discussion with supporters in the community, Shadowserver is transitioning to a new, improved funding model during 2020 – based on the concept of a neutral governance Industry Alliance. We are partnering with organizations with proven experience in sustainable fundraising for community benefit projects, and engaging with a wide range of global constituents. We are encouraging those who benefit significantly from and can most afford to support our activities to join our new Shadowserver Alliance. Doing so will spread out the cost of operating Shadowserver across many more organizations than just our current generous, but relatively small, group of sponsors – thereby reducing the financial burden (and reliance) on any one single sponsor. This will help to ensure that everyone globally can continue to benefit from Shadowserver’s public benefit services. We will be posting more information about this exciting new chapter and the path forward in the coming weeks.

But in the short term, almost all of our focus is currently on ensuring that Shadowserver is able to overcome an unexpected but critical cashflow challenge (hyperlink) and continue providing services to all of our impacted constituents and trusted partners globally, with the minimum of disruption. We have been fighting hard against cybercrime and abuse of the Internet for 15 years now. With the help of our sponsors and the global community, we hope that we can continue this important fight together and help ensure that the criminals do not win.

So in a challenging moment for Shadowserver, what can you do to help?


The Shadowserver Foundation Team


Read Next: Shadowserver 2020 Urgent Need – Just the Summary

Read Next: Shadowserver 2020 Urgent Need – The Full Story

Read Next: Shadowserver 2020 Urgent Need – How Can You Help

Read Next: Shadowserver 2020 Urgent Need – Frequently Asked Questions

Read Next: First Fundraising Status Update

Read Next: Data Center Migration Deadline Extended from March 26th to August 31st

Read Next: Data Center Requirements – Can You Help Host Shadowserver

Read Next: Our Data Center Has A New Home

Read Next: Second Fundraising Status Update

Read Next: Third Fundraising Status Update

Recent Articles