Bulletproof hosting

BPH first became the subject of research in 2006 when security researchers from VeriSign revealed the Russian Business Network, an internet service provider that hosted a phishing group, was responsible for about $150 million in phishing-related scams. RBN also become known for identity thefts, child pornography, and botnets.{{cite news|url=https://www.washingtonpost.com/wp-dyn/content/article/2007/10/12/AR2007101202461.html|title=Shadowy Russian Firm Seen as Conduit for Cybercrime|first=Brian|last=Kerbs|date=13 October 2007|newspaper=Washington Post|access-date=5 January 2022|url-status=live|archive-date=15 September 2021|archive-url=https://web.archive.org/web/20210915131046/https://www.washingtonpost.com/wp-dyn/content/article/2007/10/12/AR2007101202461.html}}{{cite news|url=https://www.theguardian.com/technology/2007/nov/15/news.crime|title=Hunt for Russia's Web Criminals|first=Peter|last=Warren|date=15 November 2007|work=The Guardian|access-date=5 January 2022|archive-url=https://web.archive.org/web/20211125005824/https://www.theguardian.com/technology/2007/nov/15/news.crime|archive-date=25 November 2021}}{{cite conference|publisher=Institute of Electrical and Electronics Engineers|date=11 December 2009|doi= 10.1109/ACSAC.2009.29 |isbn=978-1-4244-5327-6|issn= 1063-9527 |conference=Annual Computer Security Applications Conference|title=FIRE: FInding Rogue nEtworks|first1=Brett|last1= Stone-Gross|first2=Christopher |last2=Kruegel|first3=Kevin|last3= Almeroth|author3-link=Kevin Almeroth|first4=Andreas|last4= Moser|journal=Proceedings of the ... Annual Computer Security Applications Conference|page=231}} The following year, McColo, the web hosting provider responsible for more than 75% of global spam was shut down and de-peered by Global Crossing and Hurricane Electric after the public disclosure by then-Washington Post reporter Brian Krebs on his Security Fix blog on that newspaper.{{cite news|url=https://www.washingtonpost.com/wp-dyn/content/article/2008/11/12/AR2008111200658.html|newspaper=The Washington Post|access-date=5 January 2022|first=Brain|last=Krebs|date=12 November 2008|archive-url=https://archive.today/20120527042932/http://www.washingtonpost.com/wp-dyn/content/article/2008/11/12/AR2008111200658.html|archive-date=27 May 2012|title=Host of Internet Spam Groups Is Cut Off|url-status=live}}{{cite news|archive-url=https://web.archive.org/web/20210930120212/http://voices.washingtonpost.com/securityfix/2008/11/major_source_of_online_scams_a.html|archive-date=30 September 2021|access-date=5 January 2022|url=http://voices.washingtonpost.com/securityfix/2008/11/major_source_of_online_scams_a.html|title=Major Source of Online Scams and Spams Knocked Offline|first=Brain|last=Krebs}}

Since any abuse reports to the BPH will be disregarded, in most cases, the whole IP block ("netblock") assigned to the BPH's autonomous system will be blacklisted by other providers and third party spam filters. Additionally, BPH also have difficulty in finding network peering points for establishing Border Gateway Protocol sessions, since routing a BPH provider's network can affect the reputation of upstream autonomous systems and transit provider.{{cite web|archive-url=https://web.archive.org/web/20210422115122/https://www.spamhaus.org/news/article/792/bulletproof-hosting-theres-a-new-kid-in-town|publisher=The Spamhaus Project|date=19 December 2019|title=Bulletproof hosting – there's a new kid in town|author=Spamhaus Research Team|archive-date=22 April 2021|url-status=live|url=https://www.spamhaus.org/news/article/792/bulletproof-hosting-theres-a-new-kid-in-town|access-date=21 December 2021}} This makes it difficult for BPH services to provide stable network connectivity, and in extreme cases, they can be completely de-peered;{{sfn|McCoy|Mi|Wang|2017|p=805}} therefore BPH providers evade AS's reputation based fortification such as BGP Ranking and ASwatch through unconventional methodologies.{{sfn|Konte|Feamster|Perdisci|2015|p=625}}

According to a report, due to their mounting difficulties, BPH providers engage in establishing reseller relationships with lower-end hosting providers; although these providers are not complicit in supporting the illegitimate activities, they tend to be lenient on abuse reports and do not actively engage in fraud detection.{{sfn|McCoy|Mi|Wang|2017|p=805}} Therefore, BPH conceals itself behind lower-end hosting providers, leveraging their better reputation and simultaneously operating both bulletproof and legitimate resells through the sub-allocated network blocks.{{sfn|McCoy|Mi|Wang|2017|p=806}} However, if the BPH services are caught, providers of BPH migrate their clients to a newer internet infrastructure—newer lower-end AS, or IP space—effectively making the blacklisted IP addresses of the previous AS ephemeral; thus continuing to engage in criminal conduct by modifying the DNS server's resource records of the listening services and making it point to the newer IP addresses belonging to the current AS's IP space.{{sfn|McCoy|Mi|Wang|2017|p=806}} Due to privacy concerns, the customary modes of contact for BPH providers include ICQ, Skype, and XMPP (or Jabber).{{sfn|McCoy|Mi|Wang|2017|p=811}}{{cite web|url=https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf|publisher=Trend Micro|access-date=5 December 2021|archive-url=https://web.archive.org/web/20210719111342/https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf|archive-date=19 July 2021|url-status=live|title=Criminal Hideouts for Lease: Bulletproof Hosting Services|first=Max|last=Goncharov|date=15 July 2015}}

Most BPH providers promise immunity against copyright infringement and court order takedown notices, notably Digital Millennium Copyright Act (DMCA), Electronic Commerce Directive (ECD) and law enforcement subpoenas. They also allow users to operate phishing, scams (such as high-yield investment program), botnet masters and unlicensed online pharmacy websites. In these cases, the BPH providers (known as "offshore providers") operate in jurisdictions which do not have any extradition treaty or mutual legal assistance treaty (MLAT) signed with the five eye countries, particularly the United States.{{sfn|Leporini|2015|p=5}}{{sfn|Clayton|Moore|2008|p=209}}{{sfn|Konte|Feamster|Jung|2008|p=10}} However, most BPH providers have a zero-tolerance policy towards child pornography and terrorism, although a few allow cold storage of such material given forbidden open-accessibility via the public internet.{{sfn|Kopp|Strehle|Hohlfeld|2021|p=2432}}

Prevalent jurisdictions for incorporation and location of the data centers for BPH providers include Russia (being more permissive),{{cite magazine|url=https://www.newyorker.com/magazine/2020/08/03/the-cold-war-bunker-that-became-home-to-a-dark-web-empire|magazine=The New Yorker|first=Ed|last=Caesar|title=The Cold War Bunker That Became Home to a Dark-Web Empire|date=27 July 2020|access-date=5 December 2021|url-status=live|archive-url=https://web.archive.org/web/20210929052936/https://www.newyorker.com/magazine/2020/08/03/the-cold-war-bunker-that-became-home-to-a-dark-web-empire|archive-date=29 September 2021}} Ukraine, China, Moldova, Romania, Bulgaria, Belize, Panama and the Seychelles.{{cite news|url=https://www.abc.net.au/news/2019-08-09/shining-light-on-the-bulletproof-web-hosts-lurking-in-the-sha/11396986|title=Inside the bulletproof hosting providers that keep the world's worst websites in business|work=ABC News|first=Elise|last=Thomas|date=8 August 2019|archive-url=https://web.archive.org/web/20210904052140/https://www.abc.net.au/news/2019-08-09/shining-light-on-the-bulletproof-web-hosts-lurking-in-the-sha/11396986|archive-date=4 September 2021|url-status=live|access-date=5 November 2021}}{{cite journal|journal= International Management Review |title= Ransomware: Evolution, Mitigation and Prevention |first1=Ronny|last1=Richardson|first2=Max M.|last2=North|publisher=Kennesaw State University|date=1 January 2017|volume=13|issue=1|page=13|url=https://digitalcommons.kennesaw.edu/facpubs/4276/}}

BPH services act as vital network infrastructure providers for activities such as cybercrime and online illicit economies,{{sfn|Collier|Hutchings|2021|p=1}} and the well-established working model of the cybercrime economies surrounds upon tool development and skill-sharing among peers.{{sfn|Collier|Hutchings|2021|p=1-2}} The development of exploits, such as zero-day vulnerabilities, are done by a very small community of highly-skilled actors, who encase them in convenient tools which are usually bought by low-skilled actors (known as script kiddies), who make use of BPH providers to carry out cyberattacks, usually targeting low-profile unsophisticated network services and individuals.{{sfn| Bradbury|2010|p=17}}{{sfn|Collier|Hutchings|2021|p=2}} According to a report produced by Carnegie Mellon University for the United States Department of Defense, low-profile amateur actors are also potent in causing harmful consequences, especially to small businesses, inexperienced internet users, and miniature servers.{{cite report|publisher=Carnegie Mellon University|doi=10.1184/R1/6583673.v1|title=Security Quality Requirements Engineering (SQUARE) Methodology|author1=Mead, Nancy R.|author2=Hough, Eric|author3=Stehney, Theodore R.|date=31 October 2005|url=https://kilthub.cmu.edu/articles/journal_contribution/Security_Quality_Requirements_Engineering_SQUARE_Methodology/6583673/1|access-date=6 December 2021|archive-date=6 December 2021|archive-url=https://web.archive.org/web/20211206172913/https://kilthub.cmu.edu/articles/journal_contribution/Security_Quality_Requirements_Engineering_SQUARE_Methodology/6583673/1|url-status=live}}

Criminal actors also run specialized computer programs on BPH providers knowns as port scanners which scan the entire IPv4 address space for open ports, services run on those open ports, and the version of their service daemons, searching for vulnerable versions for exploitation.{{cite conference|conference=USENIX conference on Security Symposium|publisher=USENIX|date=August 2014|first1=Zakir|last1=Durumeric|first2=Michael|last2=Bailey|first3=J. Alex|last3=Halderman|url=https://dl.acm.org/doi/10.5555/2671225.2671230|pages=65–66|title=An internet-wide view of internet-wide scanning|access-date=2021-12-06|archive-date=2021-12-06|archive-url=https://web.archive.org/web/20211206190144/https://dl.acm.org/doi/10.5555/2671225.2671230|url-status=live}} One such notable vulnerability scanned by the port scanners is Heartbleed, which affected millions of internet servers.{{cite conference|doi=10.1145/3196494.3196537|date=May 2018|conference=Asia Conference on Computer and Communications Security|first1=Hawnjo|last1=Heo|first2=Seungwon|last2=Shin|title=Who is knocking on the Telnet Port: A Large-Scale Empirical Study of Network Scanning|url=https://dl.acm.org/doi/abs/10.1145/3196494.3196537|pages=625–626|access-date=2021-12-06|archive-date=2021-12-06|archive-url=https://web.archive.org/web/20211206213048/https://dl.acm.org/doi/abs/10.1145/3196494.3196537|url-status=live}} Furthermore, BPH clients also host click fraud, adware (such as DollarRevenue), and money laundering recruitment sites, which lure credulous internet users into honey traps and cause financial losses to the individuals while keeping their illicit sites online, despite court orders and takedown attempts by law enforcement.{{cite journal|last=Watson|first=David|title=The evolution of web application attacks|volume=2007|issue=11|issn=1353-4858|doi=10.1016/S1353-4858(08)70039-4|url=https://www.sciencedirect.com/science/article/pii/S1353485808700394|year=2007|journal=Network Security|pages=7–12|access-date=2021-12-06|archive-date=2019-04-10|archive-url=https://web.archive.org/web/20190410072139/https://www.sciencedirect.com/science/article/pii/S1353485808700394|url-status=live}}

The Spamhaus Project is an international nonprofit organization that monitors cyber threats and provides realtime blacklist reports (known as the "Badness Index") on malicious ASs, netblocks, and registrars that are involved in spam, phishing, or cybercrime activities. The Spamhaus team works closely with law enforcement agencies such as National Cyber-Forensics and Training Alliance (NCFTA) and Federal Bureau of Investigation (FBI), and the data compiled by Spamhaus is used by the majority of the ISPs, email service providers, corporations, educational institutes, governments and uplink gateways of military networks.{{cite journal|url=https://journals.sagepub.com/doi/abs/10.1177/1548512917715342|doi=10.1177/1548512917715342|volume=15|issue=1|author1=Nandi O. Leslie|author2=Richard E. Harang|author3=Lawrence P. Knachel|author4=Alexander Kott|journal=The Journal of Defense Modeling and Simulation|publisher=United States Army Research Laboratory|date=30 June 2017|access-date=22 December 2021|location=United States|title=Statistical models for the number of successful cyber intrusions|pages=49–63|arxiv=1901.04531|s2cid=58006624|archive-date=22 December 2021|archive-url=https://web.archive.org/web/20211222050730/https://journals.sagepub.com/doi/abs/10.1177/1548512917715342|url-status=live}}{{cite magazine|url=https://www.wired.com/2016/01/security-news-this-week-tim-cook-demands-that-the-white-house-support-encryption/|magazine=Wired|first=Yael|last=Grauer|date=17 January 2016|title=Security News This Week: Tim Cook Demands That the White House Defend Encryption|access-date=22 December 2021|archive-date=23 April 2021|archive-url=https://web.archive.org/web/20210423130650/https://www.wired.com/2016/01/security-news-this-week-tim-cook-demands-that-the-white-house-support-encryption/|url-status=live}}{{cite web|url=https://www.spamhaus.org/organization/|title=Corporate Documents: About Spamhaus|access-date=22 December 2021|archive-date=14 December 2021|archive-url=https://web.archive.org/web/20211214192203/https://www.spamhaus.org/organization/|url-status=live}} Spamhaus publishes various data feeds that list netblocks of the criminal actors, and is designed for use by gateways, firewalls and routing equipments to filter out (or "nullroute") traffic originating from these netblocks:

• Spamhaus Don't Route Or Peer List (DROP) lists netblocks allocated by an established Regional Internet Registry (RIR) or National Internet Registry (NIR) that are used by criminal actors, and doesn't include abused IP address spaces sub-allocated netblocks of a reputable AS.{{cite web|url=https://www.spamhaus.org/drop/|publisher=The Spamhaus Project|title= The Spamhaus Don't Route Or Peer Lists |archive-url=https://web.archive.org/web/20211221203320/https://www.spamhaus.org/drop/|archive-date=21 December 2021|url-status=live|access-date=22 December 2021}}
• Spamhaus Domain Block List (DBL) lists domain names with poor reputation in DNSBL format.{{cite web|url=https://www.spamhaus.org/dbl/|publisher=The Spamhaus Project|title= The Domain Block List (DBL) |archive-url=https://web.archive.org/web/20211221203312/https://www.spamhaus.org/dbl/|archive-date=21 December 2021|url-status=live|access-date=22 December 2021}}
• Spamhaus Botnet Controller List (BCL) lists single IPv4 addresses of botnet masters.{{cite web|url=https://www.spamhaus.org/bcl/|publisher=The Spamhaus Project|title= Spamhaus Botnet Controller List |archive-url=https://web.archive.org/web/20200826014515/https://www.spamhaus.org/bcl/|archive-date=26 August 2020|url-status=live|access-date=22 December 2021}}

The following are some of the notable defunct BPH providers:

• CyberBunker, taken down in September 2019.{{cite web |url=https://krebsonsecurity.com/2019/09/german-cops-raid-cyberbunker-2-0-arrest-7-in-child-porn-dark-web-market-sting/ |title=German Cops Raid 'Cyberbunker 2.0', Arrest 7 in Child Porn, Dark Web Market Sting |date=28 September 2019 |access-date=10 June 2021 |last=Krebs |first=Brian |website=Krebs on Security |archive-date=16 May 2021 |archive-url=https://web.archive.org/web/20210516001959/https://krebsonsecurity.com/2019/09/german-cops-raid-cyberbunker-2-0-arrest-7-in-child-porn-dark-web-market-sting/ |url-status=live }}
• McColo, taken down in November 2008.[http://voices.washingtonpost.com/securityfix/2008/11/major_source_of_online_scams_a.html "Major Source of Online Scams and Spams Knocked Offline"] {{Webarchive|url=https://web.archive.org/web/20210930120212/http://voices.washingtonpost.com/securityfix/2008/11/major_source_of_online_scams_a.html |date=2021-09-30 }}, The Washington Post, November 2008.
• Russian Business Network (RBN), taken down in November 2007.{{Cite news|url=http://voices.washingtonpost.com/securityfix/2007/11/russian_business_network_down.html|title=Security Fix - Russian Business Network: Down, But Not Out|access-date=2016-10-07|newspaper=The Washington Post|archive-date=2016-09-26|archive-url=https://web.archive.org/web/20160926060346/http://voices.washingtonpost.com/securityfix/2007/11/russian_business_network_down.html|url-status=dead}}
• Atrivo, taken down in September 2008.[http://voices.washingtonpost.com/securityfix/2008/09/scam-heavy_us_isp_grows_more_i.html "Scammer-Heavy U.S. ISP Grows More Isolated"] {{Webarchive|url=https://web.archive.org/web/20080906041355/http://voices.washingtonpost.com/securityfix/2008/09/scam-heavy_us_isp_grows_more_i.html |date=2008-09-06 }}, The Washington Post, September 2009.
• 3FN, taken down by FTC in June 2009.[http://voices.washingtonpost.com/securityfix/2009/06/the_fallout_from_the_3fn_taked.html "The Fallout from the 3FN Takedown"] {{Webarchive|url=https://web.archive.org/web/20110810224959/http://voices.washingtonpost.com/securityfix/2009/06/the_fallout_from_the_3fn_taked.html |date=2011-08-10 }}, The Washington Post, June 2009.[https://www.theregister.co.uk/2010/05/19/3fn_permanently_shuttered/ "ISP shuttered for hosting 'witches' brew' of spam, child porn"] {{Webarchive|url=https://web.archive.org/web/20170810210356/https://www.theregister.co.uk/2010/05/19/3fn_permanently_shuttered/ |date=2017-08-10 }}, The Register, May 2010[https://arstechnica.com/tech-policy/news/2010/05/rogue-isp-ordered-to-liquidate-owes-ftc-108-million.ars "Rogue ISP ordered to liquidate, pay FTC $1.08 million"] {{Webarchive|url=https://web.archive.org/web/20120502123443/http://arstechnica.com/tech-policy/news/2010/05/rogue-isp-ordered-to-liquidate-owes-ftc-108-million.ars |date=2012-05-02 }}, Ars Technica, May 2010.
• Proxiez, taken down in May 2010.[https://www.theregister.co.uk/2010/05/14/zeus_friendly_proxiez_mia/ 'Bulletproof' ISP for crimeware gangs knocked offline] {{Webarchive|url=https://web.archive.org/web/20170810205913/https://www.theregister.co.uk/2010/05/14/zeus_friendly_proxiez_mia/ |date=2017-08-10 }}, The Register, May 2010.

• Freedom Hosting
• Fast flux
• Security theater

{{Reflist}}

• {{cite book|doi= 10.1109/SP.2017.32|isbn= 978-1-5090-5533-3|first1=Damon|last1=McCoy|first2=Xianghang|last2=Mi|first3=Xiofeng|last3=Wang |title= 2017 IEEE Symposium on Security and Privacy (SP)|chapter= Under the Shadow of Sunshine: Understanding and Detecting Bulletproof Hosting on Legitimate Service Provider Networks|date=26 June 2017|pages= 805–823|publisher=New York University|s2cid= 1593958|chapter-url=https://ieeexplore.ieee.org/document/7958611}}
• {{cite web|title=On the Infrastructure Providers that Support Misinformation|url=https://zakird.com/papers/misinfo-infra-preprint.pdf|access-date=4 December 2021|first1=Catherine|last1=Han|first2=Deepak|last2=Kumar|first3=Zakir|last3=Durumic|archive-url=https://web.archive.org/web/20210825043611/https://zakird.com/papers/misinfo-infra-preprint.pdf|archive-date=25 August 2021|url-status=live|publisher=Stanford University|year=2021}}
• {{cite journal|journal=ACM SIGCOMM Comput. Commun. Rev.|volume=45|issue=4|date=17 August 2015|doi=10.1145/2829988.2787494|title=ASwatch: An AS Reputation System to Expose Bulletproof Hosting ASes|url=https://dl.acm.org/doi/10.1145/2829988.2787494|issn= 0146-4833|location=New York, United States|first1=Maria|last1=Konte|first2=Nick|last2=Feamster|first3=Roberto|last3=Perdisci|pages=625–638 }}
• {{cite conference|publisher=International Broadcasting Convention|location=Amsterdam, Netherlands|year=2015|isbn= 978-1-78561-185-8|doi= 10.1049/ibc.2015.0013|first=Dino|last=Leporini|work=University of Pisa|title= Architectures and protocols powering illegal content streaming over the Internet|pages=7 |url=https://digital-library.theiet.org/content/conferences/10.1049/ibc.2015.0013}}
• {{cite book|doi=10.1007/978-0-387-09762-6_10|date= 22 December 2008|isbn= 978-0-387-09761-9|publisher=Springer Publishing|location=Boston|first1=Richard|last1=Clayton|first2=Tyler|last2=Moore|title=Managing Information Risk and the Economics of Security |chapter=The Impact of Incentives on Notice and Take-down |pages=199–223|chapter-url=https://link.springer.com/chapter/10.1007%2F978-0-387-09762-6_10}}
• {{cite book|doi=10.1145/3460120.3485352|chapter=CyberBunker 2.0 - A Domain and Traffic Perspective on a Bulletproof Hoster|date=November 2021|first1=Daniel|last1=Kopp|first2=Eric|last2=Strehle|first3=Oliver|last3=Hohlfeld|title=Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security|pages=2432–2434|publisher=Association for Computing Machinery, Brandenburg University of Technology|arxiv=2109.06858|isbn=9781450384544|s2cid=237503582|chapter-url=https://dl.acm.org/doi/abs/10.1145/3460120.3485352}}
• {{cite journal|doi=10.1093/bjc/azab026|url=https://academic.oup.com/bjc/article/61/5/1407/6226588|last1=Collier|first1=Benjamin|last2=Hutchings|first2=Alice|journal= The British Journal of Criminology|title=Cybercrime is (often) boring: maintaining the infrastructure of cybercrime economies|publisher=Oxford University Press|date=15 April 2021|volume=61|issue=5|doi-access=free|hdl=20.500.11820/68a9a01b-f7c3-4fcb-9128-66caf04a4684|hdl-access=free}}
• {{cite journal|journal=Infosecurity|volume=7|issue=5|title= Digging up the hacking underground|first=Danny|last=Bradbury|issn= 1754-4548|doi=10.1016/S1754-4548(10)70084-X|url= https://www.sciencedirect.com/science/article/pii/S175445481070084X|date=15 October 2010|pages=14–17}}
• {{cite journal|publisher=Internet Corporation for Assigned Names and Numbers|journal=Security and Stability Advisory Committee |title=SAC 025: SSAC Advisory on Fast Flux Hosting and DNS|url=https://www.icann.org/en/system/files/files/sac-025-en.pdf|date=January 2008|issue=1|first1=M.|last1=Konte|first2=N.|last2=Feamster|first3=J.|last3=Jung|archive-url=https://web.archive.org/web/20211122051539/https://www.icann.org/en/system/files/files/sac-025-en.pdf|archive-date=22 November 2021|access-date=12 December 2021|url-status=live}}

{{DEFAULTSORT:Bulletproof Hosting}}

Category:Web hosting

Category:Spamming

Category:Cybercrime