Bullet Proof Hosting: A Theoretical Model

Tuesday, June 29, 2010

Nathaniel Markowitz


This is the first in series of articles derived from the a graduate research project entitled "A Preliminary Survey of the Bulletproof Hosting Landscape."

Authors: Nathaniel Markowitz, Jonathan Brown, Amanda Cummins, Erin Greathouse, Christopher Kanezo, David McIntire, Thomas Saly, Toby Taylor, Louis Ulrich, Desiree Williams

Bullet Proof Hosting: A Theoretical Model

Bulletproof (BP) hosting is an increasingly important and under-researched component of cyber-criminal activities. While there are several different ways that BP hosting can be accomplished, it is generally understood as a service that promises customers that their websites will not be taken down, regardless of complaints or content.

This is particularly appealing to criminals who, facing rising scrutiny from law enforcement and private researchers, are forced to rely on ever more sophisticated methods to carry out their illicit enterprises.

While efforts to identify and shut down BPHs is important, little attention has been given to understanding precisely how they operate in the dynamic environment of cyber-criminal activity. This paper provides a preliminary survey of the landscape of BP hosting.

As such, it comprises four sections: The first section describes a general model of BP hosting. The second section provides an analysis of open source research into bulletproof hosts (BPHs). The third section provides a Strengths, Weakness, Opportunities, and Threats (SWOT) analysis of BP hosting. The fourth section concludes by identifying future areas of research, based on the preliminary survey presented here. Supplemental information is provided in appendices.

Theoretical Model for Bulletproof Hosting: Introduction

The purpose of the BP hosting model is to capture the important components for successfully operating a BPH. The idea is that, without any of the components enumerated below, a BPH will not be able to function effectively. Equally important, if all of these components are present, a successful BPH enterprise is possible.

There are five components that make up the model. First, a BPH must have access to server space. This represents the actual computers that serve as the physical infrastructure for their operations. The second component of the BP hosting model is the ability to acquire domains.

The third component of the model is access to the Domain Name System (DNS). Specifically, BPHs require name servers (NSs) to resolve domain names to Internet protocol addresses (IP).

The fourth component of the BP hosting model is a means of communicating with potential clients. Given the criminal activities associated with BP hosting, they must have a space to advertise and communicate in which they feel relatively safe.

The fifth component of the model is the need for reliable financial services that allow them to preserve their anonymity. This is particularly important, given the potential difficulties in dealing with many traditional banks.

Mapping the Bulletproof Hosting Landscape

To date, a great deal of emphasis has been placed on identifying and shutting down BPHs. Less energy has been spent, however, trying to understand how they operate. This section provides an examination of behavior trends, potential indicators of malicious activity and patterns of abuse that are guided by the model presented above.

Registrars’  Role in Bulletproof Hosting

After investigating approximately three hundred domains registered by several different companies, notable trends emerged. The data suggests a tentative classification of minimally abused, moderately abused, and heavily abused—though further research would be required to definitively determine intentionally criminal behavior.

The indicators for this determination are the content of blacklisted domains, the percentage of total registered domains that are blacklisted, and the total number of registered domains that are blacklisted.

The first category—minimally abused—exhibited a distinctly different pattern of behavior from the categories described below. While there were times when minimally abused companies registered a large number of blacklisted domains, several factors differentiate them from the other classes of registrars.

First, most of the blacklisted domains were not overtly malicious. Many were suspicious domains, largely participating in what seemed to be opt-out schemes.

Others involved marketing companies (for example, there were several search engine optimization (SEO) schemes), but there was no immediate way to determine the whether these domains were participating in illegal activity. Still others had no content or were under construction.

Additionally, the average percentage of blacklisted domains for this category was 23 of total domains registered.

This represented an average of 94 blacklisted domains out of 408 total domains registered. These numbers were significantly lower than for the two categories below. Further, these registrars were rather evenly distributed geographically.

The second category—moderately abused—followed a dramatically different pattern of behavior. For one thing, much of the content on the domains they registered was overtly malicious—in particular, Canadian Pharmacy, replica domains and other well known spam scams.

However, they generally had a lower total number of blacklisted domains than the minimally abused class (on average, 46 out of a total of 70); although a much higher percentage of the domains they registered were blacklisted (on average, 66 per cent).

Most of the registrars in this category are located in China. Additionally, many of the registrars in this category and the next have also been involved in World Intellectual Property Organization (WIPO) litigation.

The third class—heavily abused—exhibited yet another pattern of behavior.  For one thing, as in the above case, the content was overtly malicious (also including Canadian Pharmacy and other popular scam domains). Moreover, these registrars consistently had a high percentage of blacklisted domains, with an average of 83 per cent.

The average number of blacklisted domains was 368, out of a total of 445. One company, for example, registered approximately 1200 domains over the course of five days. Of the fifty most recent ones registered (at the time of collection), all shared identical content.

A random sample of the rest of the domains on the list indicated that this pattern held for all of them. This trend persisted over time for several registrars. China and Russia saw the highest concentration of this type of registrar.

For more information: bphresearchgroup@gmail.com

Part Two: Patterns of Use and Abuse with IP Addresses


We would like to thank the University of Pittsburgh, Graduate School of Public and International Affairs for providing the resources to make this research project possible. We would also like to thank Palantir Technologies for allowing us to use their software in our analysis. Finally, a very special thanks goes to Matt Ziemniak and Jim Beiber for their patience, help and guidance and for creating a research environment that was both enriching and enjoyable.

Enterprise Security
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.