Under the Shadow of Sunshine

Understanding and Detecting Bulletproof Hosting on Legitimate Service Provider Networks

Sumayah Alrwais, Xiaojing Liao, Xianghang Mi, Peng Wang, Xiaofeng Wang, Feng Qian, Raheem Beyah, Damon McCoy

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    BulletProof Hosting (BPH) services provide criminal actors with technical infrastructure that is resilient to complaints of illicit activities, which serves as a basic building block for streamlining numerous types of attacks. Anecdotal reports have highlighted an emerging trend of these BPH services reselling infrastructure from lower end service providers (hosting ISPs, cloud hosting, and CDNs) instead of from monolithic BPH providers. This has rendered many of the prior methods of detecting BPH less effective, since instead of the infrastructure being highly concentrated within a few malicious Autonomous Systems (ASes) it is now agile and dispersed across a larger set of providers that have a mixture of benign and malicious clients. In this paper, we present the first systematic study on this new trend of BPH services. By collecting and analyzing a large amount of data (25 snapshots of the entire Whois IPv4 address space, 1.5 TB of passive DNS data, and longitudinal data from several blacklist feeds), we are able to identify a set of new features that uniquely characterizes BPH on sub-allocations and that are costly to evade. Based upon these features, we train a classifier for detecting malicious sub-allocated network blocks, achieving a 98% recall and 1.5% false discovery rates according to our evaluation. Using a conservatively trained version of our classifier, we scan the whole IPv4 address space and detect 39K malicious network blocks. This allows us to perform a large-scale study of the BPH service ecosystem, which sheds light on this underground business strategy, including patterns of network blocks being recycled and malicious clients being migrated to different network blocks, in an effort to evade IP address based blacklisting. Our study highlights the trend of agile BPH services and points to potential methods of detecting and mitigating this emerging threat.

    Original languageEnglish (US)
    Title of host publication2017 IEEE Symposium on Security and Privacy, SP 2017 - Proceedings
    PublisherInstitute of Electrical and Electronics Engineers Inc.
    Pages805-823
    Number of pages19
    ISBN (Electronic)9781509055326
    DOIs
    StatePublished - Jun 23 2017
    Event2017 IEEE Symposium on Security and Privacy, SP 2017 - San Jose, United States
    Duration: May 22 2017May 24 2017

    Other

    Other2017 IEEE Symposium on Security and Privacy, SP 2017
    CountryUnited States
    CitySan Jose
    Period5/22/175/24/17

    Fingerprint

    Classifiers
    Ecosystems
    Industry

    Keywords

    • BulletProof
    • Hosting
    • Malicious
    • Sub-allocations

    ASJC Scopus subject areas

    • Safety, Risk, Reliability and Quality
    • Software
    • Computer Networks and Communications

    Cite this

    Alrwais, S., Liao, X., Mi, X., Wang, P., Wang, X., Qian, F., ... McCoy, D. (2017). Under the Shadow of Sunshine: Understanding and Detecting Bulletproof Hosting on Legitimate Service Provider Networks. In 2017 IEEE Symposium on Security and Privacy, SP 2017 - Proceedings (pp. 805-823). [7958611] Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/SP.2017.32

    Under the Shadow of Sunshine : Understanding and Detecting Bulletproof Hosting on Legitimate Service Provider Networks. / Alrwais, Sumayah; Liao, Xiaojing; Mi, Xianghang; Wang, Peng; Wang, Xiaofeng; Qian, Feng; Beyah, Raheem; McCoy, Damon.

    2017 IEEE Symposium on Security and Privacy, SP 2017 - Proceedings. Institute of Electrical and Electronics Engineers Inc., 2017. p. 805-823 7958611.

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Alrwais, S, Liao, X, Mi, X, Wang, P, Wang, X, Qian, F, Beyah, R & McCoy, D 2017, Under the Shadow of Sunshine: Understanding and Detecting Bulletproof Hosting on Legitimate Service Provider Networks. in 2017 IEEE Symposium on Security and Privacy, SP 2017 - Proceedings., 7958611, Institute of Electrical and Electronics Engineers Inc., pp. 805-823, 2017 IEEE Symposium on Security and Privacy, SP 2017, San Jose, United States, 5/22/17. https://doi.org/10.1109/SP.2017.32
    Alrwais S, Liao X, Mi X, Wang P, Wang X, Qian F et al. Under the Shadow of Sunshine: Understanding and Detecting Bulletproof Hosting on Legitimate Service Provider Networks. In 2017 IEEE Symposium on Security and Privacy, SP 2017 - Proceedings. Institute of Electrical and Electronics Engineers Inc. 2017. p. 805-823. 7958611 https://doi.org/10.1109/SP.2017.32
    Alrwais, Sumayah ; Liao, Xiaojing ; Mi, Xianghang ; Wang, Peng ; Wang, Xiaofeng ; Qian, Feng ; Beyah, Raheem ; McCoy, Damon. / Under the Shadow of Sunshine : Understanding and Detecting Bulletproof Hosting on Legitimate Service Provider Networks. 2017 IEEE Symposium on Security and Privacy, SP 2017 - Proceedings. Institute of Electrical and Electronics Engineers Inc., 2017. pp. 805-823
    @inproceedings{f351c35e14374997b6208403446bf0e2,
    title = "Under the Shadow of Sunshine: Understanding and Detecting Bulletproof Hosting on Legitimate Service Provider Networks",
    abstract = "BulletProof Hosting (BPH) services provide criminal actors with technical infrastructure that is resilient to complaints of illicit activities, which serves as a basic building block for streamlining numerous types of attacks. Anecdotal reports have highlighted an emerging trend of these BPH services reselling infrastructure from lower end service providers (hosting ISPs, cloud hosting, and CDNs) instead of from monolithic BPH providers. This has rendered many of the prior methods of detecting BPH less effective, since instead of the infrastructure being highly concentrated within a few malicious Autonomous Systems (ASes) it is now agile and dispersed across a larger set of providers that have a mixture of benign and malicious clients. In this paper, we present the first systematic study on this new trend of BPH services. By collecting and analyzing a large amount of data (25 snapshots of the entire Whois IPv4 address space, 1.5 TB of passive DNS data, and longitudinal data from several blacklist feeds), we are able to identify a set of new features that uniquely characterizes BPH on sub-allocations and that are costly to evade. Based upon these features, we train a classifier for detecting malicious sub-allocated network blocks, achieving a 98{\%} recall and 1.5{\%} false discovery rates according to our evaluation. Using a conservatively trained version of our classifier, we scan the whole IPv4 address space and detect 39K malicious network blocks. This allows us to perform a large-scale study of the BPH service ecosystem, which sheds light on this underground business strategy, including patterns of network blocks being recycled and malicious clients being migrated to different network blocks, in an effort to evade IP address based blacklisting. Our study highlights the trend of agile BPH services and points to potential methods of detecting and mitigating this emerging threat.",
    keywords = "BulletProof, Hosting, Malicious, Sub-allocations",
    author = "Sumayah Alrwais and Xiaojing Liao and Xianghang Mi and Peng Wang and Xiaofeng Wang and Feng Qian and Raheem Beyah and Damon McCoy",
    year = "2017",
    month = "6",
    day = "23",
    doi = "10.1109/SP.2017.32",
    language = "English (US)",
    pages = "805--823",
    booktitle = "2017 IEEE Symposium on Security and Privacy, SP 2017 - Proceedings",
    publisher = "Institute of Electrical and Electronics Engineers Inc.",
    address = "United States",

    }

    TY - GEN

    T1 - Under the Shadow of Sunshine

    T2 - Understanding and Detecting Bulletproof Hosting on Legitimate Service Provider Networks

    AU - Alrwais, Sumayah

    AU - Liao, Xiaojing

    AU - Mi, Xianghang

    AU - Wang, Peng

    AU - Wang, Xiaofeng

    AU - Qian, Feng

    AU - Beyah, Raheem

    AU - McCoy, Damon

    PY - 2017/6/23

    Y1 - 2017/6/23

    N2 - BulletProof Hosting (BPH) services provide criminal actors with technical infrastructure that is resilient to complaints of illicit activities, which serves as a basic building block for streamlining numerous types of attacks. Anecdotal reports have highlighted an emerging trend of these BPH services reselling infrastructure from lower end service providers (hosting ISPs, cloud hosting, and CDNs) instead of from monolithic BPH providers. This has rendered many of the prior methods of detecting BPH less effective, since instead of the infrastructure being highly concentrated within a few malicious Autonomous Systems (ASes) it is now agile and dispersed across a larger set of providers that have a mixture of benign and malicious clients. In this paper, we present the first systematic study on this new trend of BPH services. By collecting and analyzing a large amount of data (25 snapshots of the entire Whois IPv4 address space, 1.5 TB of passive DNS data, and longitudinal data from several blacklist feeds), we are able to identify a set of new features that uniquely characterizes BPH on sub-allocations and that are costly to evade. Based upon these features, we train a classifier for detecting malicious sub-allocated network blocks, achieving a 98% recall and 1.5% false discovery rates according to our evaluation. Using a conservatively trained version of our classifier, we scan the whole IPv4 address space and detect 39K malicious network blocks. This allows us to perform a large-scale study of the BPH service ecosystem, which sheds light on this underground business strategy, including patterns of network blocks being recycled and malicious clients being migrated to different network blocks, in an effort to evade IP address based blacklisting. Our study highlights the trend of agile BPH services and points to potential methods of detecting and mitigating this emerging threat.

    AB - BulletProof Hosting (BPH) services provide criminal actors with technical infrastructure that is resilient to complaints of illicit activities, which serves as a basic building block for streamlining numerous types of attacks. Anecdotal reports have highlighted an emerging trend of these BPH services reselling infrastructure from lower end service providers (hosting ISPs, cloud hosting, and CDNs) instead of from monolithic BPH providers. This has rendered many of the prior methods of detecting BPH less effective, since instead of the infrastructure being highly concentrated within a few malicious Autonomous Systems (ASes) it is now agile and dispersed across a larger set of providers that have a mixture of benign and malicious clients. In this paper, we present the first systematic study on this new trend of BPH services. By collecting and analyzing a large amount of data (25 snapshots of the entire Whois IPv4 address space, 1.5 TB of passive DNS data, and longitudinal data from several blacklist feeds), we are able to identify a set of new features that uniquely characterizes BPH on sub-allocations and that are costly to evade. Based upon these features, we train a classifier for detecting malicious sub-allocated network blocks, achieving a 98% recall and 1.5% false discovery rates according to our evaluation. Using a conservatively trained version of our classifier, we scan the whole IPv4 address space and detect 39K malicious network blocks. This allows us to perform a large-scale study of the BPH service ecosystem, which sheds light on this underground business strategy, including patterns of network blocks being recycled and malicious clients being migrated to different network blocks, in an effort to evade IP address based blacklisting. Our study highlights the trend of agile BPH services and points to potential methods of detecting and mitigating this emerging threat.

    KW - BulletProof

    KW - Hosting

    KW - Malicious

    KW - Sub-allocations

    UR - http://www.scopus.com/inward/record.url?scp=85024475731&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=85024475731&partnerID=8YFLogxK

    U2 - 10.1109/SP.2017.32

    DO - 10.1109/SP.2017.32

    M3 - Conference contribution

    SP - 805

    EP - 823

    BT - 2017 IEEE Symposium on Security and Privacy, SP 2017 - Proceedings

    PB - Institute of Electrical and Electronics Engineers Inc.

    ER -