There is a lot of amazing content online, but there’s a lot of awful stuff too.
Mainstream media often tells you that the really awful stuff is hiding, just a single click away. While finding this kind of content isn’t quite that easy, it is out there. Out of sight… but not entirely out of mind.
Nefarious content like this uses a “special” type of secure server, known as bulletproof hosting. But why doesn’t the government just take down these servers? And how do the hosts get away with hosting such horrifying content?
What Is Hosting?
Before understanding what bulletproof hosting is, consider regular hosting.
A regular web hosting service controls a huge amount of servers. Users, like you and me, pay to host our content on their servers. Similarly, businesses, charities, banks, social media platforms, and everything else in-between host their content on servers.
The vast majority of hosting services have very strict rules regarding the content uploaded to their servers.
What Is Bulletproof Hosting?
Bulletproof hosting services are more liberal with the content they allow on their servers. Furthermore, bulletproof hosting services are usually found in countries with more relaxed approaches to law enforcement, data and computing laws, bribery, and extradition, making it easy to operate without interruption.
These hosts have “don’t ask, don’t tell” relationships with their clientele, reasoning that they are merely providing a service. What happens on their servers is the client’s business—and theirs alone.
Where Are Bulletproof Hosting Services Located?
Bulletproof hosting services are found all over the world. There is no single ledger listing every bulletproof hosting nation of residence.
The common consensus is, however, that the majority of services reside in China, Russia, the former-Soviet states (such as Belarus, Ukraine, and Moldova), and a handful of other European, Asian, South American, and North African countries (so, almost everywhere).
Moreover, many bulletproof hosting services register in locations with equally relaxed tax laws, such as the Seychelles and the Cayman Islands.
That’s not to say the US and Europe do not play host to bulletproof hosting services. Before its timely destruction, McColo was one of the largest bulletproof hosting services on the planet and based in San Jose, California (we’ll look at McColo in a little more detail in a moment).
San Jose was also host to the similarly insidious 3FN, hosting a “witches brew” of child pornography, malware, and spam email servers. On the other hand, WikiLeaks regularly moves its servers between a number of secure services situated in Europe and Russia (this due to both security and DDoS protection).
It isn’t all that simple, though. These are highly organized cybercrime services. As such, some places are better suited to hosting certain content.
Let’s say you contact a bulletproof hosting service asking to host your newly written malware. You say you want to host your malware in the Netherlands (due to high connectivity and location services). The service provider might respond that you’d be better off in Ukraine (due to local laws and the difficulty of physically taking servers down).
Clearly, bulletproof hosting service providers have a vested interest in securing new business and will work to ensure the most secure, the fastest, and the best connectivity for their customers.
Taking Down Bulletproof Hosting
The main goal of a bulletproof hosting service is remaining online and remaining secure. Keeping their clientele’s credentials and data intact if law enforcement comes calling. Dhia Mahjoub, a principal engineer at OpenDNS Research, explains more about the processes in his talk at USENIX Enigma 2017:
“Cross-jurisdictional issues are a big challenge. Hosters have very little incentive to change anything. If they take content down, that affects their business,” Mahjoub said. “The vicious thing about these guys is that they spread all across the web and stay under certain thresholds so we won’t notice them. Having friends at a certain ISP or hosting company is very useful.”
Bulletproof hosting takedowns aren’t that common, but it does happen. McColo is one of the most well-known service takedowns in recent times (although nearly 10 years ago now). McColo Corp. was a focal point for scammers, malware purveyors, carders, botnet command and control servers, and much worse.
“At a time when law-enforcement agencies worldwide were just waking up to the financial and organizational threats from organized cybercrime, McColo Corp. had earned a reputation as a ground zero for it: a place where cybercrooks could reliably set up shop with little worry that their online investments and schemes would be discovered or jeopardized by foreign law-enforcement investigators.”
In his book, Spam Nation, Brian Krebs details the horrific demise of Nikolai McColo in a street race in central Moscow. McColo, then 23, had built his burgeoning bulletproof hosting service from the ground up from the age of 19.
But despite McColo’s leader and namesake passing it wasn’t until a year later, in 2008, when Krebs’ Washington Post exposé (really worth the read, by the way) on the astonishing level of malicious activity at McColo finally forced the wider internet’s hand, pulling the plug on all connections to McColo IP ranges.
Overnight, global spam traffic saw a 50 to 75 percent reduction. Millions of zombie computers were instantly cut off from their control servers. The Mega-D, Pushdo, Rustock, Warezov, and Srizbi botnets took hard hits (Srizbi was capable of sending an estimated 60 billion spam emails a day, over half the global total of 100 billion).
And spam purveyors, along with other nefarious individuals and organizations, lost huge portions of their infrastructure. Some prolific spammers actually lost their entire spam email lists, hosting them on McColo’s servers.
Bulletproof Hosting Takedowns Aren’t Easy
Formulating the takedown of a bulletproof hosting service isn’t easy. McColo only met its demise after a long investigation by Brian Krebs in conjunction with other security researchers and law enforcement agencies. If it were easy, the government would simply pop a takedown notice in the fax machine and send it to the host nation.
It requires a concerted effort between numerous parties to stick. And even then, if the host nation turns a blind eye, it is all for nothing. Dhia Mahjoub’s USENIX talk also details the complexity of attempting to shut down bulletproof hosting services on foreign soil.
Sometimes law enforcement agencies cannot even shut down local bulletproof hosting services because of complicated registration structures and mirroring services in other nations.
The protectionist nature of the bulletproof hosting services usually prolongs the process too. Services have mitigation strategies. Service owners know how long they can hold out before acquiescing to formal takedown requests.
And even then, they can give customers a few days to move their operations to another bulletproof service provider.
Legitimate Companies Host Bad Things Too
It would be naive of us to look at only bulletproof hosting services as the sole source of the dark underbelly of the internet.
According to Webroot’s Quarterly Threat Trends for September 2017 [PDF], “an average of 1.385 million unique phishing sites are created each month, with an astonishing high of 2.3 million in May of 2017.”
The difference between GoDaddy (& companies like that) & most of bulletproof hosting companies is that one lies about what they're doing, the other is not.
Which is worse then?
Oh, & IP ranges of the latter can be blacklisted (and they usually are), while former's aren't.
— MalwareHunterTeam (@malwrhunterteam) February 6, 2018
Not all of these sites use bulletproof hosting services. Major regular hosting services like GoDaddy, 1and1 Web Hosting, HostGator, and Digital Ocean regularly host phishing sites before they go offline. Given GoDaddy has tens of millions of registered domains, it is entirely feasible that some slip through the net.
However, there are some slightly worrying signs. The InfoSec Guy blog illustrates several malicious phishing sites left online even after alerting GoDaddy. Similarly, there are tutorials available online detailing how to set up automated phishing emails using a Digital Ocean VPS (among others).
Bulletproof Takedowns Aren’t Usually the End
Bulletproof hosting services take their name from the idea of being indestructible. Only a concerted effort will truly takedown a service. And as we have seen, it is a relatively simple process to switch host when the authorities come calling.
Unfortunately, shutting down bulletproof hosting services doesn’t usually spell the end of the operators or the customers unless the servers are physically seized or compromised.
The infamous Russian Business Network (RBN) was thought to have long ceased operations but is operating the same scams, botnets, and other malicious content along the borders of eastern Ukraine and Moldova.
There is some legitimate hosting taking place too. Some customers with extremely sensitive data use bulletproof hosting services to ensure government agencies and business adversaries cannot compromise them.
However, while their data has protection, it could also easily disappear; they could come under investigation just for using a bulletproof hosting service filled with other malicious data.
Using a bulletproof hosting service isn’t inherently illegal. But if you’re just looking to start a new blog or host your online storefront, we suggest using regular hosting. We have comprehensive lists of free and easy hosting services, cheap hosting services, as well as why your first website shouldn’t use free hosting.