Bulletproof hosting

Last updated
A former NATO-bunker in the Netherlands, which housed bulletproof hosting provider CyberBunker with a Pontiac Trans Sport in the front. CyberBunker.jpg
A former NATO-bunker in the Netherlands, which housed bulletproof hosting provider CyberBunker with a Pontiac Trans Sport in the front.

Bulletproof hosting (BPH) is technical infrastructure service provided by an Internet hosting service that is resilient to complaints of illicit activities, which serves criminal actors as a basic building block for streamlining various cyberattacks. [1] BPH providers allow online gambling, illegal pornography, botnet command and control servers, spam, copyrighted materials, hate speech and misinformation, despite takedown court orders and law enforcement subpoenas, allowing such material in their acceptable use policies. [2] [3] [4]

Contents

BPH providers usually operate in jurisdictions which have lenient laws against such conduct. Most non-BPH service providers prohibit transferring materials over their network that would be in violation of their terms of service and the local laws of the incorporated jurisdiction, and oftentimes any abuse reports would result in takedowns to avoid their autonomous system's IP address block being blacklisted by other providers and by Spamhaus. [5]

History

BPH first became the subject of research in 2006 when security researchers from VeriSign revealed the Russian Business Network, an internet service provider that hosted a phishing group, was responsible for about $150 million in phishing-related scams. RBN also become known for identity thefts, child pornography, and botnets. [6] [7] [8] The following year, McColo, the web hosting provider responsible for more than 75% of global spam was shut down and de-peered by Global Crossing and Hurricane Electric after the public disclosure by then-Washington Post reporter Brian Krebs on his Security Fix blog on that newspaper. [9] [10]

Difficulties

Since any abuse reports to the BPH will be disregarded, in most cases, the whole IP block ("netblock") assigned to the BPH's autonomous system will be blacklisted by other providers and third party spam filters. Additionally, BPH also have difficulty in finding network peering points for establishing Border Gateway Protocol sessions, since routing a BPH provider's network can affect the reputation of upstream autonomous systems and transit provider. [11] This makes it difficult for BPH services to provide stable network connectivity, and in extreme cases, they can be completely de-peered; [1] therefore BPH providers evade AS's reputation based fortification such as BGP Ranking and ASwatch through unconventional methodologies. [2]

Web hosting reseller

According to a report, due to their mounting difficulties, BPH providers engage in establishing reseller relationships with lower-end hosting providers; although these providers are not complicit in supporting the illegitimate activities, they tend to be lenient on abuse reports and do not actively engage in fraud detection. [1] Therefore, BPH conceals itself behind lower-end hosting providers, leveraging their better reputation and simultaneously operating both bulletproof and legitimate resells through the sub-allocated network blocks. [12] However, if the BPH services are caught, providers of BPH migrate their clients to a newer internet infrastructure—newer lower-end AS, or IP space—effectively making the blacklisted IP addresses of the previous AS ephemeral; thus continuing to engage in criminal conduct by modifying the DNS server's resource records of the listening services and making it point to the newer IP addresses belonging to the current AS's IP space. [12] Due to privacy concerns, the customary modes of contact for BPH providers include ICQ, Skype, and XMPP (or Jabber). [13] [14]

Admissible abuses

Most BPH providers promise immunity against copyright infringement and court order takedown notices, notably Digital Millennium Copyright Act (DMCA), Electronic Commerce Directive (ECD) and law enforcement subpoenas. They also allow users to operate phishing, scams (such as high-yield investment program), botnet masters and unlicensed online pharmacy websites. In these cases, the BPH providers (known as "offshore providers") operate in jurisdictions which do not have any extradition treaty or mutual legal assistance treaty (MLAT) signed with the five eye countries, particularly the United States. [15] [16] [17] However, most BPH providers have a zero-tolerance policy towards child pornography and terrorism, although a few allow cold storage of such material given forbidden open-accessibility via the public internet. [18]

Prevalent jurisdictions for incorporation and location of the data centers for BPH providers include Russia (being more permissive), [19] Ukraine, China, Moldova, Romania, Bulgaria, Belize, Panama and the Seychelles. [20] [21]

Impacts

BPH services act as vital network infrastructure providers for activities such as cybercrime and online illicit economies, [22] and the well-established working model of the cybercrime economies surrounds upon tool development and skill-sharing among peers. [23] The development of exploits, such as zero-day vulnerabilities, are done by a very small community of highly-skilled actors, who encase them in convenient tools which are usually bought by low-skilled actors (known as script kiddies), who make use of BPH providers to carry out cyberattacks, usually targeting low-profile unsophisticated network services and individuals. [24] [25] According to a report produced by Carnegie Mellon University for the United States Department of Defense, low-profile amateur actors are also potent in causing harmful consequences, especially to small businesses, inexperienced internet users, and miniature servers. [26]

Criminal actors also run specialized computer programs on BPH providers knowns as port scanners which scan the entire IPv4 address space for open ports, services run on those open ports, and the version of their service daemons, searching for vulnerable versions for exploitation. [27] One such notable vulnerability scanned by the port scanners is Heartbleed, which affected millions of internet servers. [28] Furthermore, BPH clients also host click fraud, adware (such as DollarRevenue), and money laundering recruitment sites, which lure credulous internet users into honey traps and cause financial losses to the individuals while keeping their illicit sites online, despite court orders and takedown attempts by law enforcement. [29]

Counterinitiatives against BPH

The Spamhaus Project is an international nonprofit organization that monitors cyber threats and provides realtime blacklist reports (known as the "Badness Index") on malicious ASs, netblocks, and registrars that are involved in spam, phishing, or cybercrime activities. The Spamhaus team works closely with law enforcement agencies such as National Cyber-Forensics and Training Alliance (NCFTA) and Federal Bureau of Investigation (FBI), and the data compiled by Spamhaus is used by the majority of the ISPs, email service providers, corporations, educational institutes, governments and uplink gateways of military networks. [30] [31] [32] Spamhaus publishes various data feeds that list netblocks of the criminal actors, and is designed for use by gateways, firewalls and routing equipments to filter out (or "nullroute") traffic originating from these netblocks: [11]

Notable closed services

The following are some of the notable defunct BPH providers:

See also

Related Research Articles

<span class="mw-page-title-main">Spamming</span> Unsolicited electronic messages, especially advertisements

Spamming is the use of messaging systems to send multiple unsolicited messages (spam) to large numbers of recipients for the purpose of commercial advertising, non-commercial proselytizing, or any prohibited purpose, or simply repeatedly sending the same message to the same user. While the most widely recognized form of spam is email spam, the term is applied to similar abuses in other media: instant messaging spam, Usenet newsgroup spam, Web search engine spam, spam in blogs, wiki spam, online classified ads spam, mobile phone messaging spam, Internet forum spam, junk fax transmissions, social spam, spam mobile apps, television advertising and file sharing spam. It is named after Spam, a luncheon meat, by way of a Monty Python sketch about a restaurant that has Spam in almost every dish in which Vikings annoyingly sing "Spam" repeatedly.

A Domain Name System blocklist, Domain Name System-based blackhole list, Domain Name System blacklist (DNSBL) or real-time blackhole list (RBL) is a service for operation of mail servers to perform a check via a Domain Name System (DNS) query whether a sending host's IP address is blacklisted for email spam. Most mail server software can be configured to check such lists, typically rejecting or flagging messages from such sites.

Various anti-spam techniques are used to prevent email spam.

<span class="mw-page-title-main">Email spam</span> Unsolicited electronic advertising by email

Email spam, also referred to as junk email, spam mail, or simply spam, is unsolicited messages sent in bulk by email (spamming). The name comes from a Monty Python sketch in which the name of the canned pork product Spam is ubiquitous, unavoidable, and repetitive. Email spam has steadily grown since the early 1990s, and by 2014 was estimated to account for around 90% of total email traffic.

<span class="mw-page-title-main">Botnet</span> Collection of compromised internet-connected devices controlled by a third party

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform distributed denial-of-service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

Netcraft is an Internet services company based in London, England. The company provides cybercrime disruption services across a range of industries.

<span class="mw-page-title-main">The Spamhaus Project</span> Organization targetting email spammers

The Spamhaus Project is an international organisation based in the Principality of Andorra, founded in 1998 by Steve Linford to take action against what they allege to be spammers. The correctness of this assessment by Spamhaus is regularly disputed. If the assessment is based on objective characteristics or on standards set by Spamhaus itself is disputed. The name spamhaus, a pseudo-German expression, was coined by Linford to refer to an internet service provider, or other firm, which spams or knowingly provides service to spammers. Spamhaus has been criticized to purposely hide all direct methods of contact from its webpages to avoid transparency, while asking transparency from others.

SORBS was a list of e-mail servers suspected of sending or relaying spam. It had been augmented with complementary lists that include various other classes of hosts, allowing for customized email rejection by its users.

<span class="mw-page-title-main">CyberBunker</span> Former Internet service provider

CyberBunker was an Internet service provider located in the Netherlands and Germany that, according to its website, "hosted services to any website except child pornography and anything related to terrorism". The company first operated in a former NATO bunker in Zeeland, and later in another former NATO bunker in Traben-Trarbach, Germany.

Brian Krebs is an American journalist and investigative reporter. He is best known for his coverage of profit-seeking cybercriminals. Krebs is the author of a daily blog, KrebsOnSecurity.com, covering computer security and cybercrime. From 1995 to 2009, Krebs was a reporter for The Washington Post and covered tech policy, privacy and computer security as well as authoring the Security Fix blog.

The Russian Business Network is a multi-faceted cybercrime organization, specializing in and in some cases monopolizing personal identity theft for resale. It is the originator of the PHP-based malware kit MPack and an alleged operator of the now defunct Storm botnet.

<span class="mw-page-title-main">Fast flux</span> DNS evasion technique against origin server fingerprinting.

Fast flux is a domain name system (DNS) based evasion technique used by cyber criminals to hide phishing and malware delivery websites behind an ever-changing network of compromised hosts acting as reverse proxies to the backend botnet master—a bulletproof autonomous system. It can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy redirection used to make malware networks more resistant to discovery and counter-measures.

<span class="mw-page-title-main">McColo</span> Defunct web hosting provider used for cybercrime

McColo was a US-based web hosting service provider that was, for a long time, the source of the majority of spam-sending activities for the entire world. In late 2008, the company was shut down by two upstream providers, Global Crossing and Hurricane Electric, because a significant amount of malware and botnets had been trafficking from the McColo servers.

The Rustock botnet was a botnet that operated from around 2006 until March 2011.

The Grum botnet, also known by its alias Tedroo and Reddyb, was a botnet mostly involved in sending pharmaceutical spam e-mails. Once the world's largest botnet, Grum can be traced back to as early as 2008. At the time of its shutdown in July 2012, Grum was reportedly the world's third largest botnet, responsible for 18% of worldwide spam traffic.

<span class="mw-page-title-main">Jart Armin</span> Cybercrime and computer security investigator and analyst

Jart Armin is an investigator, analyst and writer on cybercrime and computer security, and researcher of cybercrime mechanisms and assessment.

There is no commonly agreed single definition of “cybercrime”. It refers to illegal internet-mediated activities that often take place in global electronic networks. Cybercrime is "international" or "transnational" – there are ‘no cyber-borders between countries'. International cybercrimes often challenge the effectiveness of domestic and international law, and law enforcement. Because existing laws in many countries are not tailored to deal with cybercrime, criminals increasingly conduct crimes on the Internet in order to take advantages of the less severe punishments or difficulties of being traced.

Virut is a cybercrime malware botnet, operating at least since 2006, and one of the major botnets and malware distributors on the Internet. In January 2013, its operations were disrupted by the Polish organization Naukowa i Akademicka Sieć Komputerowa.

Festi is a rootkit and a botnet also known by its alias of Spamnost, and is mostly involved in email spam and denial of service attacks. It works under operating systems of the Windows family. Autumn of 2009 was the first time Festi came into the view of the companies engaged in the development and sale of antivirus software. At this time it was estimated that the botnet itself consisted of roughly 25.000 infected machines, while having a spam volume capacity of roughly 2.5 billion spam emails a day. Festi showed the greatest activity in 2011-2012. More recent estimates - dated August 2012 - display that the botnet is sending spam from 250,000 unique IP addresses, a quarter of the total amount of one million detected IP's sending spam mails. The main functionality of botnet Festi is spam sending and implementation of cyberattacks like "distributed denial of service".

<span class="mw-page-title-main">Microsoft Digital Crimes Unit</span> Internet security organization

The Microsoft Digital Crimes Unit (DCU) is a Microsoft sponsored team of international legal and internet security experts employing the latest tools and technologies to stop or interfere with cybercrime and cyber threats. The Microsoft Digital Crimes Unit was assembled in 2008. In 2013, a Cybercrime center for the DCU was opened in Redmond, Washington. There are about 100 members of the DCU stationed just in Redmond, Washington at the original Cybercrime Center. Members of the DCU include lawyers, data scientists, investigators, forensic analysts, and engineers. The DCU has international offices located in major cities such as: Beijing, Berlin, Bogota, Delhi, Dublin, Hong Kong, Sydney, and Washington, D.C. The DCU's main focuses are child protection, copyright infringement and malware crimes. The DCU must work closely with law enforcement to ensure the perpetrators are punished to the full extent of the law. The DCU has taken down many major botnets such as the Citadel, Rustock, and Zeus. Around the world malware has cost users about $113 billion and the DCU's jobs is to shut them down in accordance with the law.

References

  1. 1 2 3 McCoy, Mi & Wang 2017, p. 805.
  2. 1 2 Konte, Feamster & Perdisci 2015, p. 625.
  3. Han, Kumar & Durumic 2021, p. 4.
  4. "Host of Internet Spam Groups Is Cut Off". The Washington Post . 12 November 2008. Archived from the original on 22 June 2020. Retrieved 4 December 2021.
  5. Han, Kumar & Durumic 2021, p. 5-6.
  6. Kerbs, Brian (13 October 2007). "Shadowy Russian Firm Seen as Conduit for Cybercrime". Washington Post . Archived from the original on 15 September 2021. Retrieved 5 January 2022.
  7. Warren, Peter (15 November 2007). "Hunt for Russia's Web Criminals". The Guardian . Archived from the original on 25 November 2021. Retrieved 5 January 2022.
  8. Stone-Gross, Brett; Kruegel, Christopher; Almeroth, Kevin; Moser, Andreas (11 December 2009). FIRE: FInding Rogue nEtworks. Annual Computer Security Applications Conference. Proceedings of the ... Annual Computer Security Applications Conference. Institute of Electrical and Electronics Engineers. p. 231. doi:10.1109/ACSAC.2009.29. ISBN   978-1-4244-5327-6. ISSN   1063-9527.
  9. Krebs, Brain (12 November 2008). "Host of Internet Spam Groups Is Cut Off". The Washington Post . Archived from the original on 27 May 2012. Retrieved 5 January 2022.
  10. Krebs, Brain. "Major Source of Online Scams and Spams Knocked Offline". Archived from the original on 30 September 2021. Retrieved 5 January 2022.
  11. 1 2 Spamhaus Research Team (19 December 2019). "Bulletproof hosting – there's a new kid in town". The Spamhaus Project. Archived from the original on 22 April 2021. Retrieved 21 December 2021.
  12. 1 2 McCoy, Mi & Wang 2017, p. 806.
  13. McCoy, Mi & Wang 2017, p. 811.
  14. Goncharov, Max (15 July 2015). "Criminal Hideouts for Lease: Bulletproof Hosting Services" (PDF). Trend Micro. Archived (PDF) from the original on 19 July 2021. Retrieved 5 December 2021.
  15. Leporini 2015, p. 5.
  16. Clayton & Moore 2008, p. 209.
  17. Konte, Feamster & Jung 2008, p. 10.
  18. Kopp, Strehle & Hohlfeld 2021, p. 2432.
  19. Caesar, Ed (27 July 2020). "The Cold War Bunker That Became Home to a Dark-Web Empire". The New Yorker . Archived from the original on 29 September 2021. Retrieved 5 December 2021.
  20. Thomas, Elise (8 August 2019). "Inside the bulletproof hosting providers that keep the world's worst websites in business". ABC News . Archived from the original on 4 September 2021. Retrieved 5 November 2021.
  21. Richardson, Ronny; North, Max M. (1 January 2017). "Ransomware: Evolution, Mitigation and Prevention". International Management Review. 13 (1). Kennesaw State University: 13.
  22. Collier & Hutchings 2021, p. 1.
  23. Collier & Hutchings 2021, p. 1-2.
  24. Bradbury 2010, p. 17.
  25. Collier & Hutchings 2021, p. 2.
  26. Mead, Nancy R.; Hough, Eric; Stehney, Theodore R. (31 October 2005). Security Quality Requirements Engineering (SQUARE) Methodology (Report). Carnegie Mellon University. doi:10.1184/R1/6583673.v1. Archived from the original on 6 December 2021. Retrieved 6 December 2021.
  27. Durumeric, Zakir; Bailey, Michael; Halderman, J. Alex (August 2014). An internet-wide view of internet-wide scanning. USENIX conference on Security Symposium. USENIX. pp. 65–66. Archived from the original on 2021-12-06. Retrieved 2021-12-06.
  28. Heo, Hawnjo; Shin, Seungwon (May 2018). Who is knocking on the Telnet Port: A Large-Scale Empirical Study of Network Scanning. Asia Conference on Computer and Communications Security. pp. 625–626. doi:10.1145/3196494.3196537. Archived from the original on 2021-12-06. Retrieved 2021-12-06.
  29. Watson, David (2007). "The evolution of web application attacks". Network Security. 2007 (11): 7–12. doi:10.1016/S1353-4858(08)70039-4. ISSN   1353-4858. Archived from the original on 2019-04-10. Retrieved 2021-12-06.
  30. Nandi O. Leslie; Richard E. Harang; Lawrence P. Knachel; Alexander Kott (30 June 2017). "Statistical models for the number of successful cyber intrusions". The Journal of Defense Modeling and Simulation . 15 (1). United States: United States Army Research Laboratory: 49–63. arXiv: 1901.04531 . doi:10.1177/1548512917715342. S2CID   58006624. Archived from the original on 22 December 2021. Retrieved 22 December 2021.
  31. Grauer, Yael (17 January 2016). "Security News This Week: Tim Cook Demands That the White House Defend Encryption". Wired . Archived from the original on 23 April 2021. Retrieved 22 December 2021.
  32. "Corporate Documents: About Spamhaus". Archived from the original on 14 December 2021. Retrieved 22 December 2021.
  33. "The Spamhaus Don't Route Or Peer Lists". The Spamhaus Project. Archived from the original on 21 December 2021. Retrieved 22 December 2021.
  34. "The Domain Block List (DBL)". The Spamhaus Project. Archived from the original on 21 December 2021. Retrieved 22 December 2021.
  35. "Spamhaus Botnet Controller List". The Spamhaus Project. Archived from the original on 26 August 2020. Retrieved 22 December 2021.
  36. Krebs, Brian (28 September 2019). "German Cops Raid 'Cyberbunker 2.0', Arrest 7 in Child Porn, Dark Web Market Sting". Krebs on Security. Archived from the original on 16 May 2021. Retrieved 10 June 2021.
  37. "Major Source of Online Scams and Spams Knocked Offline" Archived 2021-09-30 at the Wayback Machine , The Washington Post, November 2008.
  38. "Security Fix - Russian Business Network: Down, But Not Out". The Washington Post. Archived from the original on 2016-09-26. Retrieved 2016-10-07.
  39. "Scammer-Heavy U.S. ISP Grows More Isolated" Archived 2008-09-06 at the Wayback Machine , The Washington Post, September 2009.
  40. "The Fallout from the 3FN Takedown" Archived 2011-08-10 at the Wayback Machine , The Washington Post, June 2009.
  41. "ISP shuttered for hosting 'witches' brew' of spam, child porn" Archived 2017-08-10 at the Wayback Machine , The Register, May 2010
  42. "Rogue ISP ordered to liquidate, pay FTC $1.08 million" Archived 2012-05-02 at the Wayback Machine , Ars Technica, May 2010.
  43. 'Bulletproof' ISP for crimeware gangs knocked offline Archived 2017-08-10 at the Wayback Machine , , The Register, May 2010.

Bibliography