Bulletproof Hosting: Cutting off the facilitators

Like any other type of internet abuse, bulletproof hosting does not happen out of thin air; it is enabled by entities providing services to such cybercrime operations – either deliberately or due to poor customer vetting and abuse prevention. The majority of contemporary bulletproof hosters follow a non-monolithic approach we outlined previously, designed to increase operational stability and impede investigations or takedown efforts. However, while this made the actual bulletproof hosters more volatile, their facilitators remain sitting ducks – and going after them remains worthwhile to keep criminals grounded.

(Bulletproof) Hosting facilitators: A brief refresher

Whether the intended audience is legitimate or criminal, setting up a hosting business requires a variety of adjacent services: A corporate entity needs to be set up, customer management, billing and support ticket systems must be in place. For advertising and selling their services, legitimate businesses require a decent website – for bulletproof hosters, a presence on Telegram and relevant underground forums might be more effective.

An array of network-related components is also required:

• Datacenter services, commonly using colocation offerings
• IP address space
• Commonly, a dedicated Autonomous System
• Network uplinks, potentially including DDoS mitigation services
• If domain registration services are to be offered, cooperation with an ICANN-accredited registrar is necessary, often through reseller schemes

Although the exact procedure and its difficulty depend on the jurisdiction chosen, establishing a corporate entity and registering an Autonomous System to it are generally relatively straightforward steps. So is obtaining IPv6 address space, handed out by Regional Internet Registries (RIRs) in large (at times excessive, a problem coined "IPv6 stockpiling") quantities.

IPv4 address space, for which there is a long waiting list at any RIR, poses a bigger hurdle: Although IPv6-only hosting providers surface here and there, and internet service providers frequently deploy technologies such as carrier-grade NAT to provide their clients with IPv4 connectivity despite a shortage of IPv4 addresses, server or service hosting typically comes with the demand for a dedicated IPv4 address. (Spamhaus currently assesses bulletproof hosting in particular remains a largely IPv4-dominated internet abuse phenomenon.) Thus, alternative sources for IPv4 address space are needed – this is where IP address brokers come into play. Emerging hosting providers (legitimate and criminal alike) making use of IP address broker services is a common sighting.

With these requirements out of the way, connectivity remains: The availability of network uplinks depends on a datacenters’ characteristics, although most established ones strive for “carrier neutrality,” offering customers a variety of uplinks to directly connect to. A datacenter may also offer to connect a customer to its own network, typically done for customers without a dedicated Autonomous System, or those who do not wish to shoulder the burden of negotiating and setting up connectivity via a third-party carrier.

Such connectivity setups involving the datacenters’ own network frequently disclose a customers’ physical hosting location – an information leak most legitimate entities (perhaps except high-risk/high-profile ones, e.g. financial or governmental institutions) may be comfortable with. Bulletproof hosting providers, however, not so much; Spamhaus frequently observes miscreants attempting to stay away from such location-disclosing connectivity setups.

Identifying the chokepoints

Bulletproof hosting is a persistent cybercrime cornerstone. Thus, Spamhaus has an interest in not only identifying and tracking bulletproof hosters, but also disrupting them. Including their network assets in Spamhaus blocklists ensures Spamhaus users are protected from security threats emanating from bulletproof hosters (and their customers).

However, Spamhaus’ mission also encompasses holding internet abuse enablers to account: Without going after them as well, tackling single cybercrime operations (such as individual bulletproof hosters) remains an unsustainable treatment of symptoms, rather than attempting to cure the root cause.

From the facilitator types listed above, IP(v4) address brokers and network connectivity providers resemble prime targets: Their services are essential, difficult to obtain independently, and available from a finite number of sources only.

Beneficially from a cybercrime fighters’ perspective, the larger the IP address broker or carrier, the more likely it is that effective abuse countermeasures (most importantly, robust customer vetting) are in place, reducing the likelihood of miscreants being able to subscribe in the first place.

Although major carriers occasionally accept bulletproof hosting customers (mostly through poorly secured reseller schemes), such rogue customers often find stability at intermediaries, which are commonly playing the card of “sorry, we had a really bad customer” if pressure from the anti-abuse scene becomes too high. Badness density at such intermediaries varies greatly, with some catering many legitimate downstream customers to conceal a smaller number of rogue ones, occasionally even going the extra mile of maintaining presence in governing bodies and national internet service provider associations.

Spamhaus Blocklist (SBL) anvils from low orbit

Spamhaus’ SBL dataset, for which bulletproof hosting and its proliferation is an inclusion criterion, may be our sharpest tool in the box. In line with the SBL escalation policy, IP address brokers and network carriers providing services to bulletproof hosting operations will see their networks being included in SBL – particularly if they do so repeatedly, or ignore abuse reports concerning such incidents.

The pattern is always the same: Even the most stubborn bulletproof hosting facilitators eventually change their mind, strengthen abuse prevention, and retract services from rogue customers. It is a tedious process, but eventually leaves miscreants with one less option to choose from. On several instances, Spamhaus observed criminals sharing lessons from SBL escalations, such as to avoid certain facilitators in the future – beneficial for those facilitators too, as it reduces the onslaught of bad customers.

From an investigators’ perspective, a facilitators’ response to SBL listings is particularly interesting. Legitimate organizations will respond swiftly, provide a credible explanation of the incidents’ root cause, how it was solved, and the countermeasures in place to ensure it will not occur again. On the other hand, rogue IP address brokers may drag their feet, send in overly specific denials (“the customer does not have access to this network anymore”), or respond only after their nefarious client left their services anyway. When being subjected to SBL escalation listings, some IP brokers deliberately lease listed prefixes to new, legitimate (and unsuspecting) customers, seemingly attempting to coerce SBL listing removal.

Needless to say, such behavioral patterns, positive and negative, go into Spamhaus’ reputation engines, ensuring internet badness is detected more reliably, and false positives on internet “goodness” are avoided.

Pushing internet badness into corners

As much as Spamhaus strives to make itself obsolete, there will always be internet abuse. It takes only a handful of facilitators with sloppy abuse prevention or malicious intent for a bulletproof hoster to be established. However, by continuously applying the above SBL listing (and, when necessary, escalation) strategy, such internet abuse tends to flock at certain datacenters, carriers, and IP address brokers.

Closely monitoring such bulletproof hosting providers’ favored facilitators allows for swift identification of new problematic networks, and pivoting to other, previously undetected facilitators. For example, an abuse incident cluster at a recently established ISP, involving IPv4 prefixes leased from a known bad IP address broker, may unveil another carrier who has yet to implement proper abuse prevention schemes (or is turning a blind eye towards criminal customers). Having bulletproof hosting clustered at certain facilitators also increases their attractiveness to law enforcement, a position few entities are comfortable with.

Of course, this sparks evasion attempts. For example, Spamhaus repeatedly observed contemporary bulletproof hosters attempting to conceal the datacenter their infrastructure is hosted at, often by leveraging “remote DDoS protection” services. Spinning up shell corporations at unobtrusive jurisdictions, in particular the United Kingdom and certain US federal states, marks a departure from traditionally preferred jurisdictions such as Belize, Panama or the Seychelles. In some cases, facilitators go the extra mile of establishing decoy ISPs to keep bulletproof hosters on board, while moving their core brands out of the spotlights.

Pessimists may perceive such evasion attempts as yet another iteration in the whack-a-mole game of battling internet abuse. However, they also indicate pressure works: Facilitators eventually realize catering legitimate customers only earns them bigger sums and fewer hassle than accepting bulletproof hosters. One by one, the cybercrime enablers swamp is drained and becomes easier to monitor – not least thanks to fellow anti-abuse scene members and regulatory changes. It is a weird, tedious, slow, never-ending endeavour – but certainly one worth spending countless hours at the keyboard for.

Want to collaborate on bulletproof hosting intelligence?

Tracking bulletproof hosting facilitators is most effective when the anti-abuse community works together. If your organisation monitors bulletproof hosting infrastructure and you'd like to share data or coordinate investigations, we'd love to hear from you.