Bulletproof Hosting: The Path Forward

Thursday, September 02, 2010

Nathaniel Markowitz


This is the ninth and final part in series of articles derived from the a graduate research project entitled "A Preliminary Survey of the Bulletproof Hosting Landscape" (Part 1) (Part 2) (Part 3) (Part 4) (Part 5) (Part 6) (Part 7) (Part 8)

Authors: Nathaniel Markowitz, Jonathan Brown, Amanda Cummins, Erin Greathouse, Christopher Kanezo, David McIntire, Thomas Saly, Toby Taylor, Louis Ulrich, Desiree Williams

While the research presented here answers some questions about BPHs, it raises many more. Although various registrars and ISPs have been identified that are in some way correlated with malicious behavior, there is little understanding of why that is.

More research needs to be done to identify the policies of these companies that facilitate criminal behavior.

For example, is there a relationship between auto-registration of domains and malicious behavior?  It is also important to determine whether there are tangible links between the companies that are involved in continued cyber-criminal activities.

Another interesting area for investigation is exploring the patterns of abuse for both IPs and NSs. This paper has identified several such patterns, but it is likely there are many more. It may be worthwhile to shift attention from particular incidents of abuse toward the general methods of abuse.

Specifically, how strong is the correlation between IPs hosting a very large number of domains and criminal activity?  Is there are a deeper relationship between the handful ISPs that many bad domains circulate through? 

Also, what is the extent of the use of NS naming conventions identified above?  Are there additional naming conventions not identified in this paper?  Finally, how can this degree of predictability be exploited by the Internet security community?

Less emphasized by the research community, but critically important, is the significance of the communications infrastructure of BP hosting.

For one thing, what are the standards of abuse for the major providers of communications services, such as email and instant messaging? 

If their threshold for shutting down abused services was clearly known, law enforcement and the open source community could have a valuable tool for attacking BPHs. Also, is there a straightforward way of identifying and shutting down criminal forums?

Finally, what would be necessary to disrupt the financing of BP hosting? As has been noted already, Web Money is the most common form of payment. What can be done to encourage them to cooperate more (as happened with Pay Pal). What, if any, are their abuse policies and how can they be utilized to attack this critical component of BP hosting?

This paper attempts to illuminate the larger context of BP hosting. It presents a theoretical model for understanding the landscape of BP hosting as well as empirical findings based on that model.

To date, much of the emphasis of law enforcement and the open source community has been focused on identifying and shutting down particular criminal actors. More focus needs to be placed on the general patterns of BPHs behavior. In effect, this represents a shift from attacking the heads of the hydra to attacking the body.

For more information: bphresearchgroup@gmail.com


We would like to thank the University of Pittsburgh, Graduate School of Public and International Affairs for providing the resources to make this research project possible. We would also like to thank Palantir Technologies for allowing us to use their software in our analysis. Finally, a very special thanks goes to Matt Ziemniak and Jim Beiber for their patience, help and guidance and for creating a research environment that was both enriching and enjoyable.

Possibly Related Articles:
Information Security
Web Application Security
Post Rating I Like this!
Nathaniel Markowitz First of all, I would like to thank everyone for their very positive feedback on this project. I would also like to extend a very sincere thank you to Anthony Freed. As a result of posting this research on infosecisland, I was invited to present the research at a conference in Hamburg, Germany, which I will be attending the first week of October.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.