DDoS-Guard

Last updated

DDoS-Guard
Industry Web services
Founded2011;13 years ago (2011)
FounderEvgeny Marchenko
Headquarters
Services Denial-of-service attack protection, content delivery network services, web hosting
Website ddos-guard.net

DDoS-Guard is a Russian Internet infrastructure company which provides DDoS protection and web hosting services. [1] [2] Researchers and journalists have alleged that many of DDoS-Guard's clients are engaged in criminal activity, and investigative reporter Brian Krebs reported in January 2021 that a "vast number" of the websites hosted by DDoS-Guard are "phishing sites and domains tied to cybercrime services or forums online". [3] [1] Some of DDoS-Guard's notable clients have included the Palestinian Islamic militant nationalist movement Hamas, American alt-tech social network Parler, and various groups associated with the Russian state. [3] [4] [1]

Contents

Company

DDoS-Guard is based in Russia, as are most of its employees. [5] The service has existed since 2011. [6] The company was first registered in July 2014 in Sevastopol, by Evgeny Marchenko and Dmitry Sabitov, two Russians formerly from Ukraine. [3] The company is incorporated in Scotland as Cognitive Cloud LP and in Belize as DDoS-Guard Corp. [5] The company runs traffic filtering nodes on clusters located in Russia, Germany, the Netherlands, and Japan. [6]

A company with the same name, owned by the same men, had previously existed in Ukraine since 2011, though spokespeople for the company have said this was only an early stage company created while the software was being developed. The spokespeople stated that DDoS-Guard has always been based in Russia, in Rostov-on-Don, although Meduza reported that the office in that city didn't open until 2015. Meduza reported that the company apparently relocated to Russia after Ukrainian national security and cyberpolice officers began investigations into the company due to its choice to host Verified, a forum notorious for platforming credit card scammers. DDoS-Guard has denied knowledge of the investigation. [3]

In 2021, a researcher observed the DDoS-Guard appeared to have no physical presence in Belize and had likely incorporated there to gain access to IP addresses normally only allocated to local entities. Of more than 11,000 IP addresses assigned to DDoS-Guard's two subsidiaries, the researcher found two thirds had been provided to the Belizean company by LACNIC, the regional Internet registry responsible for Latin America and the Caribbean. DDoS-Guard has rebutted the allegations, and said they do have a presence in Belize. After the researcher reported DDoS-Guard to LACNIC, LACNIC announced they would revoke more than 8,000 IP addresses from the company. [5]

On 1 June 2021, cyber-intelligence company Group-IB reported that they had found DDoS-Guard's database, containing site IP addresses, names, and payment information along with its full source code, for purchase on a cybercrime black market forum. The authenticity of the allegedly stolen data was unverified. [7] [8]

Clients

Meduza has reported that, according to a former employee, DDoS-Guard has a history of working with customers who operate on the darknet. The employee has said this is because they can charge higher rates to such customers, who have a much smaller range of choices of Internet service providers willing to work with them, and who often especially need website security services. [3] Some of DDoS-Guard's other clients have included the Palestinian Islamic militant nationalist movement Hamas, [1] the cyberstalking site Kiwi Farms, [9] and the imageboard 8kun, formerly known as 8chan, which is the online home of the American far-right QAnon conspiracy theory. [10] [11] [12] [13] The company said they ended services for both Hamas and 8chan after learning about the content on the sites from news sources. [10] DDoS-Guard has ended services for various clients after being informed of their activities by journalists, but Meduza wrote that the company would likely need to deny services for a large portion of its client base if they were to proactively monitor for criminal activity. [3] Brian Krebs, an investigative reporter focusing on cybercrime, wrote in January 2021 that a "review of the several thousand websites hosted by DDoS-Guard is revelatory, as it includes a vast number of phishing sites and domains tied to cybercrime services or forums online." [1] [3] [14]

DDoS-Guard is suspected of hosting multiple Internet scammers responsible for stealing banking data, and one of the world's largest online stores for illegal drugs operates using infrastructure associated with DDoS-Guard. [3] DDoS-Guard also provides services to The Daily Stormer , [15] an American neo-Nazi, white supremacist, and Holocaust denial website and message board. [16]

In December 2022, the European Commission added DDoS-Guard to its "Counterfeit and Piracy Watch List" based on input from copyright holders, which alleged that they were facilitating piracy. [17] Piracy websites that have used the service include Nyaa Torrents and MangaDex. [18]

Verified

Verified is a platform which Meduza has described as "one of the Internet's oldest and most notorious Russian-language forums for credit-card scammers". Meduza reported that beginning in the spring of 2013, Ukrainian national security and cyberpolice began investigating DDoS-Guard for allegedly servicing this platform, and has said this investigation likely led DDoS-Guard to reincarnate itself as a Russian company in 2014. DDoS-Guard has said they have no knowledge of such an investigation. [3]

Russian state

In January 2014, before DDoS-Guard moved to Russia, the company partnered with one of the largest domain registrars in the country, REG.RU. Shortly after, the company began working with clients associated with the Russian state. [3] Beginning in 2016, DDoS-Guard began providing denial-of-service protection to the Russian Ministry of Defence. [3] [4] In 2018, DDoS-Guard helped test the Russian state's deep packet inspection systems. DDoS-Guard works closely with the Russian Central Bank. [3]

HKLeaks

DDoS-Guard hosted a website dedicated to doxing those who participated in the 2019–20 Hong Kong protests. In October 2019, DDoS-Guard acknowledged its business with the doxxing campaign, referring to HKLeaks as "our customer". The company said that they stay out of politics and they receive thousands of abuses claiming that their customer violates the law, but "no legal proofs". [3]

Parler

DDoS-Guard was as of January 2021 providing denial-of-service attack protection services to Parler, an American alt-tech social network which was deplatformed by Amazon Web Services and other Internet service providers after the 2021 United States Capitol attack. [4] [19] Wired noted that Parler's choice to use a Russian company for DDoS protection "could expose its users to Russian surveillance if the site someday does relaunch in full with DDoS-Guard" because of the Russian government's projects to isolate the country's internet. [19] In January 2021, the United States House Committee on Oversight and Reform began an investigation into Parler in which they asked Parler for, among other things, information about agreements, documents, and communications with Russian entities. In the letter to Parler requesting this information, committee chair Carolyn Maloney described DDoS-Guard as a company "which has ties to the Russian government and counts the Russian Ministry of Defense as one of its clients". [14]

Kiwi Farms

DDoS-Guard briefly provided denial-of-service attack protection to online stalking and harassment forum Kiwi Farms after Cloudflare canceled services to the site on 3 September 2022. [20] On 5 September 2022, DDoS-Guard dropped them as a client, writing that they had followed a policy of "net neutrality" for years; "however, there are things that are unacceptable for us under any circumstances". [21] They wrote that after receiving multiple complaints, they "analyzed the content of the site" and decided to end service. [22]

FitGirl Repacks

DDoS-Guard provides services for the popular video game piracy website FitGirl Repacks. [23] In 2021, FitGirl Repacks had a dispute with its domain name registrar PublicDomainRegistry (and moved to a different registrar) after The Spamhaus Project named the site on a block list. [23] TorrentFreak stated that the incident may have been caused by other customers of DDoS-Guard engaging in spamming. [23]

Sci-Hub

In 2017, a U.S. court ordered all internet infrastructure companies to stop doing business with Sci-Hub, the shadow library which shares scholarly papers without regard to copyright. [24] [25] As a result, Sci-Hub switched from Cloudflare to DDoS-Guard for DDoS protection. [25] [8] Sci-Hub founder Alexandra Elbakyan says that DDoS-Guard initially contacted her, and that the company volunteered that it works with piracy sites including Rutracker.org. [25] Some experts identify Sci-Hub's use of DDoS-Guard as a security risk given its involvement with the Russian state and that it could monitor Sci-Hub's traffic. [25] Elbakyan says she pays DDoS-Guard about US$1,000 per month (one sixth of Sci-Hub's operating budget), all for DDoS protection; an expert found this amount credible. [25]

Projects

In January 2014, the company partnered with one of the largest domain registrars in the country, REG.RU. [26] In October 2017, DDoS-Guard's software was integrated with ispmanager web hosting control panel. [27]

See also

Related Research Articles

<span class="mw-page-title-main">Denial-of-service attack</span> Type of cyber-attack

In computing, a denial-of-service attack is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled. The range of attacks varies widely, spanning from inundating a server with millions of requests to slow its performance, overwhelming a server with a substantial amount of invalid data, to submitting requests with an illegitimate IP address.

Brian Krebs is an American journalist and investigative reporter. He is best known for his coverage of profit-seeking cybercriminals. Krebs is the author of a daily blog, KrebsOnSecurity.com, covering computer security and cybercrime. From 1995 to 2009, Krebs was a reporter for The Washington Post and covered tech policy, privacy and computer security as well as authoring the Security Fix blog.

<span class="mw-page-title-main">Parler</span> American alt-tech social networking service

Parler is an American alt-tech social networking service associated with conservatives. Launched in August 2018, Parler marketed itself as a free speech-focused and unbiased alternative to mainstream social networks such as Twitter and Facebook. Journalists described Parler as an alt-tech alternative to Twitter, with its users including those banned from mainstream social networks or who oppose their moderation policies.

Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. The extension allows a server to present one of multiple possible certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites to be served by the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS. This also allows a proxy to forward client traffic to the right server during TLS/SSL handshake. The desired hostname is not encrypted in the original SNI extension, so an eavesdropper can see which site is being requested. The SNI extension was specified in 2003 in RFC 3546

An imageboard is a type of Internet forum that focuses on the posting of images, often alongside text and discussion. The first imageboards were created in Japan as an extension of the textboard concept. These sites later inspired the creation of a number of English-language imageboards.

<span class="mw-page-title-main">Cloudflare</span> American technology company

Cloudflare, Inc. is an American company that provides content delivery network services, cloud cybersecurity, DDoS mitigation, wide area network services, Domain Name Service, and ICANN-accredited domain registration services. Cloudflare's headquarters are in San Francisco, California. According to W3Techs, Cloudflare is used by more than 19% of the Internet for its web security services, as of 2024.

<span class="mw-page-title-main">Nyaa Torrents</span> File sharing website focused on East Asian media

Nyaa Torrents is a BitTorrent website focused on East Asian media. It is one of the largest public anime-dedicated torrent indexes.

<span class="mw-page-title-main">8chan</span> Imageboard website

8kun, previously called 8chan, Infinitechan or Infinitychan, is an imageboard website composed of user-created message boards. An owner moderates each board, with minimal interaction from site administration. The site has been linked to white supremacism, neo-Nazism, the alt-right, racism and antisemitism, hate crimes, and multiple mass shootings. The site has been known to host child pornography; as a result, it was filtered out from Google Search in 2015. Several of the site's boards played an active role in the Gamergate harassment campaign, encouraging Gamergate affiliates to frequent 8chan after 4chan banned the topic. 8chan is the origin and main center of activity of the discredited QAnon conspiracy theory.

Voat Inc was an American alt-tech news aggregator and social networking service where registered community members could submit content such as text posts and direct links. Registered users could then vote on these submissions. Content entries were organized by areas of interest called "subverses". The website was widely described as a Reddit clone and a hub for the alt-right. Voat CEO Justin Chastain made an announcement on December 22, 2020 that Voat would shut down. The site was shut down on December 25, 2020.

<span class="mw-page-title-main">Library Genesis</span> File-sharing website for print publications

Library Genesis (LibGen) is a shadow library project for file-sharing access to scholarly journal articles, academic and general-interest books, images, comics, audiobooks, and magazines. The site enables free access to content that is otherwise paywalled or not digitized elsewhere. LibGen describes itself as a "links aggregator", providing a searchable database of items "collected from publicly available public Internet resources" as well as files uploaded "from users".

<span class="mw-page-title-main">Sci-Hub</span> Scientific research paper file sharing website

Sci-Hub is a shadow library website that provides free access to millions of research papers, regardless of copyright, by bypassing publishers' paywalls in various ways. Unlike Library Genesis, it does not provide access to books. Sci-Hub was founded in Kazakhstan by Alexandra Elbakyan in 2011, in response to the high cost of research papers behind paywalls. The site is extensively used worldwide. In September 2019, the site's operator(s) said that it served approximately 400,000 requests per day. In addition to its intensive use, Sci-Hub stands out among other shadow libraries because of its easy use/reliability and because of the enormous size of its collection; a 2018 study estimated that Sci-Hub provided access to 95% of all scholarly publications with issued DOI numbers, and on 15 July 2022, Sci-Hub reported that its collection comprised 88,343,822 files. However, due to legal troubles the site has paused uploads.

TamilRockers is a torrent website based in India which facilitates the distribution of copyrighted material, including television shows, movies, music and videos. The site allows visitors to search for and download copyrighted material with the help of magnet links and torrent files, which facilitate peer-to-peer file sharing. It also operates multiple Telegram channels and groups with thousands of subscribers. TamilRockers is the tenth most popular torrent site in TorrentFreak's Top 10 Most Popular Torrent Sites of 2020 list.

BlackVPN was a VPN service offered by the Hong Kong-based company BlackVPN Limited. BlackVPN featured AES-256 encryption and DNS leak protection. The service offered apps or manual configurations for Windows, Mac, iOS, Android, Linux, and routers. The company also maintained a strict no-logging policy.

<span class="mw-page-title-main">Kiwi Farms</span> Web forum

Kiwi Farms, formerly known as CWCki Forums, is a web forum that facilitates the discussion and harassment of online figures and communities. Their targets are often subject to organized group trolling and stalking, as well as doxxing and real-life harassment. These actions have tied Kiwi Farms to the suicides of three people targeted by members of the forum.

Epik is an American domain registrar and web hosting company known for providing services to alt-tech websites that host far-right, neo-Nazi, and other extremist materials. It has been described as a "safehaven for the extreme right" because of its willingness to provide services to far-right websites that have been denied service by other Internet service providers.

Nicholas Lim is a technology entrepreneur and software developer based in Vancouver, Washington. Lim and his companies provide services to alt-tech, far-right and neo-Nazi websites, such as The Daily Stormer, a neo-Nazi message board website, 8chan, the home of the far-right QAnon conspiracy theory, and Kiwi Farms, a harassment and anti-trans forum. In 2017, Lim founded BitMitigate, a website security company which in 2019 was acquired by Epik, an America based registrar and hosting company company. In 2019 he founded VanwaTech, a webhosting and website security company.

<span class="mw-page-title-main">Aubrey Cottle</span> Webmaster

Aubrey Cottle, also known as Kirtaner or Kirt, is a Canadian website forum administrator who claims to be an early member of the hacktivist group Anonymous. Cottle was involved with Anonymous during the late 2000s and in its resurgence beginning in 2020, in which the group attempted to combat the far-right conspiracy movement QAnon.

<span class="mw-page-title-main">MangaDex</span> Manga aggregation website

MangaDex is a nonprofit website that aggregates translations of manga, manhwa, and manhua. Content on the website is usually unofficial, uploaded by "scanlation" groups, but links to official services like Manga Plus and Bilibili Comics are also provided on the website. MangaDex was started in 2018 by developer Hologfx, and is funded through user donations and affiliate programs. The website is blocked in several countries, including Italy and Russia.

<span class="mw-page-title-main">Operation PowerOFF</span> Joint operation to close DDoS websites

Operation PowerOFF is an ongoing joint operation by the FBI, EUROPOL, the Dutch National Police Corps, German Federal Criminal Police Office, Poland Cybercrime Police and the UK National Crime Agency to close "booter/stresser" services offering DDoS attack services for hire. Beginning in 2018, the operation shut down 48 websites offering DDoS services, and six people were arrested in the United States. Multiple companies, including Cloudflare, PayPal, and DigitalOcean provided information to the FBI to assist in the seizure.

ispmanager Web-hosting control software

Ispmanager is commercial web server and website panel control panel. It permits working with services without using a command line or manual settings. The product supports a wide range of functions and has a visual interface designed with WCAG. Ispmanager supports servers based on Linux distributions and can be installed on both physical servers and virtual machines (VPS/VDS).

References

  1. 1 2 3 4 5 Krebs, Brian (21 January 2021). "Hamas May Be Threat to 8chan, QAnon Online". Krebs on Security. Archived from the original on 5 January 2021. Retrieved 19 January 2021.
  2. Murdock, Jason (19 January 2021). "Parler website back thanks to Russian-owned company DDos-Guard". Newsweek . Archived from the original on 19 January 2021. Retrieved 19 January 2021.
  3. 1 2 3 4 5 6 7 8 9 10 11 12 13 Kolomychenko, Maria (29 January 2021). Igumenov, Valery (ed.). "'Remove this infection from your network': The small Russian company that 'saved' Parler has other, far more odious clients". Meduza . Translated by Kevin Rothrock. Retrieved 9 February 2021.
  4. 1 2 3 "Parler website partially returns with support from Russian-owned technology firm". The Guardian . Reuters. 18 January 2021. Retrieved 9 February 2021.
  5. 1 2 3 Krebs, Brian (21 January 2021). "DDoS-Guard To Forfeit Internet Space Occupied by Parler — Krebs on Security". Krebs on Security. Archived from the original on 21 January 2021. Retrieved 9 February 2021.
  6. 1 2 "Обзор DDoS-GUARD". Anti-Malware.ru (in Russian). 25 April 2017. Retrieved 6 September 2022.
  7. "Database, source code allegedly related to bulletproof hosting, once Parler's service provider, up for sale on hacker forum" (Press release). Group-IB. 1 June 2021. Retrieved 24 October 2022.
  8. 1 2 Maxwell, Andy. "Database of 'Pirate Site Haven' DDoS-Guard is Reportedly Up For Sale (Updated)". TorrentFreak . Retrieved 3 June 2021.
  9. "Citing imminent danger Cloudflare drops hate site Kiwi Farms". The Associated Press . 4 September 2022. Retrieved 4 September 2022.
  10. 1 2 Paul, Kari; Harding, Luke; Carrell, Severin (15 January 2021). "Far-right website 8kun again loses internet service protection following Capitol attack". The Guardian . Archived from the original on 15 January 2021. Retrieved 19 January 2021.
  11. Weill, Kelly (12 November 2020). "QAnon's Home 8kun Is Imploding—and Q Has Gone Silent". The Daily Beast . Retrieved 21 January 2021.
  12. Thomas, Elise (17 February 2020). "Qanon Deploys 'Information Warfare' to Influence the 2020 Election". Wired . ISSN   1059-1028 . Retrieved 21 January 2021.
  13. 1 2 Cox, Kate (18 January 2021). "Parler seems to be sliding back onto the Internet, but not onto mobile". Ars Technica . Archived from the original on 18 January 2021. Retrieved 9 February 2021.
  14. Barrett, Brian (23 January 2021). "The FTC Cracks Down on Bot-Wielding Ticket Scalpers". Wired . ISSN   1059-1028 . Retrieved 9 February 2021.
  15. O'Brien, Luke (19 January 2018). "American Neo-Nazi Is Using Holocaust Denial As A Legal Defense". HuffPost . Archived from the original on 23 April 2018. Retrieved 25 April 2018.
  16. Van der Sar, Ernesto (8 December 2022). "EU Adds Mega, FMovies and DDoS-Guard to "Piracy Watchlist"". Torrent Freak.
  17. Van der Sar, Ernesto (8 June 2021). "Why is Verizon Blocking Pirate Sites Such as NYAA and Mangadex?". TorrentFreak.
  18. 1 2 Newman, Lily Hay (20 January 2021). "Parler Finds a Reprieve in Russia—but Not a Solution". Wired . ISSN   1059-1028 . Retrieved 20 January 2021.
  19. "Citing imminent danger Cloudflare drops hate site Kiwi Farms". Associated Press . 4 September 2022. Retrieved 5 September 2022.
  20. "Российская компания DDoS-Guard прекратила обслуживать форум Kiwi Farms". www.kommersant.ru (in Russian). 5 September 2022. Retrieved 5 September 2022.
  21. "2nd web-hosting provider drops harassment site Kiwi Farms". The Associated Press . 5 September 2022. Retrieved 6 September 2022.
  22. 1 2 3 Maxwell, Andy (30 August 2021). "FitGirl Pirate Repacker Warns Domain Name Could Be Lost, Perhaps Forever". TorrentFreak . Retrieved 1 November 2022.
  23. Singh Chawla, Dalmeet (6 November 2017). "Court demands that search engines and internet service providers block Sci-Hub". News from Science. AAAS/Science. Retrieved 1 November 2022.
  24. 1 2 3 4 5 Grassegger, Hannes (12 March 2022). "Hackerin verschenkt Milliarden – "Bei jeder Anfrage eines Journalisten denke ich, es sei ein Agent, der kommt, um mich zu töten"" [Hacker gives away billions — 'With every request from a journalist, I think it is an agent coming to kill me']. Das Magazin (in German). Zurich: Tages-Anzeiger. Archived from the original on 10 October 2022.
  25. "Хостинг-провайдер Reg.ru включил дополнительную защиту от DDoS-атак". The Village (in Russian). Retrieved 5 September 2022.
  26. "DDoS-GUARD: DDoS protection module for ispmanager |". www.ispmanager.com. Retrieved 29 August 2024.