BPH providers usually operate in jurisdictions which have lenient laws against such conduct. Most non-BPH service providers prohibit transferring materials over their network that would be in violation of their terms of service and the local laws of the incorporated jurisdiction, and oftentimes any abuse reports would result in takedowns to avoid their autonomous system's IP address block being blacklisted by other providers and by Spamhaus.[5]
History
BPH first became the subject of research in 2006 when security researchers from VeriSign revealed the Russian Business Network, an internet service provider that hosted a phishing group, was responsible for about $150 million in phishing-related scams. RBN also become known for identity thefts, child pornography, and botnets.[6][7][8] The following year, McColo, the web hosting provider responsible for more than 75% of global spam was shut down and de-peered by Global Crossing and Hurricane Electric after the public disclosure by then-Washington Post reporter Brian Krebs on his Security Fix blog on that newspaper.[9][10]
Difficulties
Since any abuse reports to the BPH will be disregarded, in most cases, the whole IP block ("netblock") assigned to the BPH's autonomous system will be blacklisted by other providers and third party spam filters. Additionally, BPH also have difficulty in finding network peering points for establishing Border Gateway Protocol sessions, since routing a BPH provider's network can affect the reputation of upstream autonomous systems and transit provider.[11] This makes it difficult for BPH services to provide stable network connectivity, and in extreme cases, they can be completely de-peered;[1] therefore BPH providers evade AS's reputation based fortification such as BGP Ranking and ASwatch through unconventional methodologies.[2]
Web hosting reseller
According to a report, due to their mounting difficulties, BPH providers engage in establishing reseller relationships with lower-end hosting providers; although these providers are not complicit in supporting the illegitimate activities, they tend to be lenient on abuse reports and do not actively engage in fraud detection.[1] Therefore, BPH conceals itself behind lower-end hosting providers, leveraging their better reputation and simultaneously operating both bulletproof and legitimate resells through the sub-allocated network blocks.[12] However, if the BPH services are caught, providers of BPH migrate their clients to a newer internet infrastructure—newer lower-end AS, or IP space—effectively making the blacklisted IP addresses of the previous AS ephemeral; thus continuing to engage in criminal conduct by modifying the DNS server's resource records of the listening services and making it point to the newer IP addresses belonging to the current AS's IP space.[12] Due to privacy concerns, the customary modes of contact for BPH providers include ICQ, Skype, and XMPP (or Jabber).[13][14]
Criminal actors also run specialized computer programs on BPH providers knowns as port scanners which scan the entire IPv4 address space for open ports, services run on those open ports, and the version of their service daemons, searching for vulnerable versions for exploitation.[27] One such notable vulnerability scanned by the port scanners is Heartbleed, which affected millions of internet servers.[28] Furthermore, BPH clients also host click fraud, adware (such as DollarRevenue), and money laundering recruitment sites, which lure credulous internet users into honey traps and cause financial losses to the individuals while keeping their illicit sites online, despite court orders and takedown attempts by law enforcement.[29]
Spamhaus Don't Route Or Peer List (DROP) lists netblocks allocated by an established Regional Internet Registry (RIR) or National Internet Registry (NIR) that are used by criminal actors, and doesn't include abused IP address spaces sub-allocated netblocks of a reputable AS.[33]
Spamhaus Domain Block List (DBL) lists domain names with poor reputation in DNSBL format.[34]
Spamhaus Botnet Controller List (BCL) lists single IPv4 addresses of botnet masters.[35]
Notable closed services
The following are some of the notable defunct BPH providers:
^"Host of Internet Spam Groups Is Cut Off". The Washington Post. 12 November 2008. Archived from the original on 22 June 2020. Retrieved 4 December 2021.
^Han, Kumar & Durumic 2021, p. 5-6.
^Kerbs, Brian (13 October 2007). "Shadowy Russian Firm Seen as Conduit for Cybercrime". Washington Post. Archived from the original on 15 September 2021. Retrieved 5 January 2022.
^Warren, Peter (15 November 2007). "Hunt for Russia's Web Criminals". The Guardian. Archived from the original on 25 November 2021. Retrieved 5 January 2022.
^Stone-Gross, Brett; Kruegel, Christopher; Almeroth, Kevin; Moser, Andreas (11 December 2009). FIRE: FInding Rogue nEtworks. Annual Computer Security Applications Conference. Proceedings of the ... Annual Computer Security Applications Conference. Institute of Electrical and Electronics Engineers. p. 231. doi:10.1109/ACSAC.2009.29. ISBN 978-1-4244-5327-6. ISSN 1063-9527.
^Krebs, Brain (12 November 2008). "Host of Internet Spam Groups Is Cut Off". The Washington Post. Archived from the original on 27 May 2012. Retrieved 5 January 2022.
^Krebs, Brain. "Major Source of Online Scams and Spams Knocked Offline". Archived from the original on 30 September 2021. Retrieved 5 January 2022.
^ a bSpamhaus Research Team (19 December 2019). "Bulletproof hosting – there's a new kid in town". The Spamhaus Project. Archived from the original on 22 April 2021. Retrieved 21 December 2021.
^ a bMcCoy, Mi & Wang 2017, p. 806.
^McCoy, Mi & Wang 2017, p. 811.
^Goncharov, Max (15 July 2015). "Criminal Hideouts for Lease: Bulletproof Hosting Services" (PDF). Trend Micro. Archived (PDF) from the original on 19 July 2021. Retrieved 5 December 2021.
^Leporini 2015, p. 5.
^Clayton & Moore 2008, p. 209.
^Konte, Feamster & Jung 2008, p. 10.
^Kopp, Strehle & Hohlfeld 2021, p. 2432.
^Caesar, Ed (27 July 2020). "The Cold War Bunker That Became Home to a Dark-Web Empire". The New Yorker. Archived from the original on 29 September 2021. Retrieved 5 December 2021.
^Thomas, Elise (8 August 2019). "Inside the bulletproof hosting providers that keep the world's worst websites in business". ABC News. Archived from the original on 4 September 2021. Retrieved 5 November 2021.
^Richardson, Ronny; North, Max M. (1 January 2017). "Ransomware: Evolution, Mitigation and Prevention". International Management Review. 13 (1). Kennesaw State University: 13.
^Collier & Hutchings 2021, p. 1.
^Collier & Hutchings 2021, p. 1-2.
^Bradbury 2010, p. 17.
^Collier & Hutchings 2021, p. 2.
^Mead, Nancy R.; Hough, Eric; Stehney, Theodore R. (31 October 2005). Security Quality Requirements Engineering (SQUARE) Methodology (Report). Carnegie Mellon University. doi:10.1184/R1/6583673.v1. Archived from the original on 6 December 2021. Retrieved 6 December 2021.
^Durumeric, Zakir; Bailey, Michael; Halderman, J. Alex (August 2014). An internet-wide view of internet-wide scanning. USENIX conference on Security Symposium. USENIX. pp. 65–66. Archived from the original on 2021-12-06. Retrieved 2021-12-06.
^Heo, Hawnjo; Shin, Seungwon (May 2018). Who is knocking on the Telnet Port: A Large-Scale Empirical Study of Network Scanning. Asia Conference on Computer and Communications Security. pp. 625–626. doi:10.1145/3196494.3196537. Archived from the original on 2021-12-06. Retrieved 2021-12-06.
^Watson, David (2007). "The evolution of web application attacks". Network Security. 2007 (11): 7–12. doi:10.1016/S1353-4858(08)70039-4. ISSN 1353-4858. Archived from the original on 2019-04-10. Retrieved 2021-12-06.
^Grauer, Yael (17 January 2016). "Security News This Week: Tim Cook Demands That the White House Defend Encryption". Wired. Archived from the original on 23 April 2021. Retrieved 22 December 2021.
^"Corporate Documents: About Spamhaus". Archived from the original on 14 December 2021. Retrieved 22 December 2021.
^"The Spamhaus Don't Route Or Peer Lists". The Spamhaus Project. Archived from the original on 21 December 2021. Retrieved 22 December 2021.
^"The Domain Block List (DBL)". The Spamhaus Project. Archived from the original on 21 December 2021. Retrieved 22 December 2021.
^"Spamhaus Botnet Controller List". The Spamhaus Project. Archived from the original on 26 August 2020. Retrieved 22 December 2021.
^Krebs, Brian (28 September 2019). "German Cops Raid 'Cyberbunker 2.0', Arrest 7 in Child Porn, Dark Web Market Sting". Krebs on Security. Archived from the original on 16 May 2021. Retrieved 10 June 2021.
^"Major Source of Online Scams and Spams Knocked Offline" Archived 2021-09-30 at the Wayback Machine, The Washington Post, November 2008.
^"Security Fix - Russian Business Network: Down, But Not Out". The Washington Post. Archived from the original on 2016-09-26. Retrieved 2016-10-07.
^"Scammer-Heavy U.S. ISP Grows More Isolated" Archived 2008-09-06 at the Wayback Machine, The Washington Post, September 2009.
^"The Fallout from the 3FN Takedown" Archived 2011-08-10 at the Wayback Machine, The Washington Post, June 2009.
^"ISP shuttered for hosting 'witches' brew' of spam, child porn" Archived 2017-08-10 at the Wayback Machine, The Register, May 2010
^"Rogue ISP ordered to liquidate, pay FTC $1.08 million" Archived 2012-05-02 at the Wayback Machine, Ars Technica, May 2010.
^'Bulletproof' ISP for crimeware gangs knocked offline Archived 2017-08-10 at the Wayback Machine, , The Register, May 2010.
Bibliography
McCoy, Damon; Mi, Xianghang; Wang, Xiofeng (26 June 2017). "Under the Shadow of Sunshine: Understanding and Detecting Bulletproof Hosting on Legitimate Service Provider Networks". 2017 IEEE Symposium on Security and Privacy (SP). New York University. pp. 805–823. doi:10.1109/SP.2017.32. ISBN 978-1-5090-5533-3. S2CID 1593958.
Han, Catherine; Kumar, Deepak; Durumic, Zakir (2021). "On the Infrastructure Providers that Support Misinformation" (PDF). Stanford University. Archived (PDF) from the original on 25 August 2021. Retrieved 4 December 2021.
Konte, Maria; Feamster, Nick; Perdisci, Roberto (17 August 2015). "ASwatch: An AS Reputation System to Expose Bulletproof Hosting ASes". ACM SIGCOMM Comput. Commun. Rev. 45 (4). New York, United States: 625–638. doi:10.1145/2829988.2787494. ISSN 0146-4833.
Clayton, Richard; Moore, Tyler (22 December 2008). "The Impact of Incentives on Notice and Take-down". Managing Information Risk and the Economics of Security. Boston: Springer Publishing. pp. 199–223. doi:10.1007/978-0-387-09762-6_10. ISBN 978-0-387-09761-9.
Kopp, Daniel; Strehle, Eric; Hohlfeld, Oliver (November 2021). "CyberBunker 2.0 - A Domain and Traffic Perspective on a Bulletproof Hoster". Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery, Brandenburg University of Technology. pp. 2432–2434. arXiv:2109.06858. doi:10.1145/3460120.3485352. ISBN 9781450384544. S2CID 237503582.
Collier, Benjamin; Hutchings, Alice (15 April 2021). "Cybercrime is (often) boring: maintaining the infrastructure of cybercrime economies". The British Journal of Criminology. 61 (5). Oxford University Press. doi:10.1093/bjc/azab026. hdl:20.500.11820/68a9a01b-f7c3-4fcb-9128-66caf04a4684.
Bradbury, Danny (15 October 2010). "Digging up the hacking underground". Infosecurity. 7 (5): 14–17. doi:10.1016/S1754-4548(10)70084-X. ISSN 1754-4548.
Konte, M.; Feamster, N.; Jung, J. (January 2008). "SAC 025: SSAC Advisory on Fast Flux Hosting and DNS" (PDF). Security and Stability Advisory Committee (SSAC) (1). Internet Corporation for Assigned Names and Numbers. Archived (PDF) from the original on 22 November 2021. Retrieved 12 December 2021.