Under the Shadow of sunshine Understanding and Detecting Bulletproof Hosting on Legitimate Service Provider Networks [Alrwais SP17] Authors: Sumayah Alrwais, Xiaojing Liao, Xianghang Mi1, Peng Wang, XiaoFeng Wang, Feng Qian, Raheem Beyah and Damon McCoy Published: Security and Privacy (SP), 2017 IEEE Symposium Presented by: Ali Ashraf Date: 18/09/2017

Bullet proof hosting (BPH) Bulletproof Hosting (BPH) offer safe heaven to host different types of Cybercrime operations: Malwares Phishing illicit contents Botnet Scam Cybercriminals BPH Provider Cybercriminal Operations The clients have rights to full freedom and provided protection from any encroachment or take down efforts. Examples: BPservers, 666Hosting, etc.

BPH Services Centralized Services Agile Services Protected Autonomous Systems (ASes) e.g. cyberbunker.com, Compromised Systems (temporary access until detected with small one-time charge) Centralized BPH Services (Owner: BPH Provider) Protected Hosting OR Compromised Systems Cybercriminals Agile Services BPH offer service under multiple legitimate service provider to hide under better reputation of the provider Abused Reputable Hosting Cybercriminals BPH Services Resellers

Evade reputation based defences Better reputation of parent service provider A mix of legitimate and BPH reseller Quickly move client after detecting Blacklisting ASes? Blacklisting IPs?

Blacklisting IP Prefix Sub-Allocations ! Blacking listing IP or As? Blacklisting IP Prefix Sub-Allocations !

Solution - Finding BPH Sub-Allocations Implement a malicious Sub- Allocation Detection System Study on the Bullet proof hosting eco-system Identified 39K malicious Sub- Allocations: 3.2K ASes 260M TLD+3

Data collection Collecting data source Generating Ground Truth 25 Snapshots of full IPv4 WhoIS records Passive DNS Lookup records - 1.7 TB AS Ranking, Spam Haus, CleanMX, BL-A Generating Ground Truth Finding clean sub-allocation Finding malicious sub-allocation Purchasing from BPH service providers

Data Processing and classification 14 Key Features extraction based on WhoIS, Passive DNS and AS reputation lists Finding sub-allocations & Identifying owners & Filtering A unique feature “Domain Churn” Trained two classifiers, Support Vector Machines (SVM) & Random Forest (RF), achieved 98% recall & 1.5% false discovery Starred Features are new PDNS features, not used in previous research.

BPH Ecosystem analysis Recycling (Spanning ASes to avoid blacklisting) Top ASes ranked by their Recycling rate Domain Migration (Average lifetime of 6.7 Months) Selected TLD+3 hoping at least 10 detected sub-allocations

Bph clients 50% of the blacklisted domains are used to distribute the malware 46% of the blacklisted domains running botnet command and control servers 1.6M domain have migrated between at least two sub-allocations

Limitations & Critique Slow Detection & Reactive Approach (Extensive PDNS scanning & Detection occurred after the malicious activity) Dependant (Depends upon the accuracy of WhoIS and PDNS data) Smaller Network Block List, Spamhaus Edrop (Used for the training & validation of Machine Learning detection system)

Limitations & Critique Use machine learning approach to predict sub-allocation ranking at the time of registration (timely detection) RIRs authority should collect and verify sub-allocations owners information (accuracy) Establish a large set of network block list for training and validation of Machine Learning Detection System

Questions!