This paper studies the AS-level
(changes in the connectivity) of malicious networks. Anecdotal evidence suggests that some malicious ASes that are primarily involved in nefarious activities on the Internet, were sequentially de-peered by providers before their final cut-off (as occurred in the well-publicized cases of Atrivo/Intercage). We present the first systematic study of the re-wiring dynamics of malicious ASes. We tracked the ASes that were listed by Hostexploit over the last two years and compared their AS-level re-wiring dynamics with non-reported ASes. Using a publicly available dataset of Customer-Provider (CP) relations in the Internet’s AS graph, we studied how interconnection between autonomous systems evolves, both for ASes that provide connectivity for attackers and ASes that were not reported as malicious. We find that malicious networks are more aggressive both in forming links with providers and changing their upstream connectivity than other ASes. Our results indicate that the re-wiring dynamics of the networks that host attacks are stable over time, despite the evolving nature of the attacks themselves, which suggests that existing defense mechanisms could benefit from incorporating these features.