Skip to main content
Topic: Behaviors and Patterns of Rogue Hosting Providers 2018 [Video 39 Min] (Read 897 times) previous topic - next topic

Behaviors and Patterns of Rogue Hosting Providers 2018 [Video 39 Min]

Behaviors and Patterns of Rogue Hosting Providers

Hosting providers, while a critical enabler of online businesses globally, are used to carry out ransomware, phishing, and other attacks by cybercriminals. For all the legitimate hosting providers in the world, providing IT services to ordinary businesses, abuse of hosting providers is widespread. The problem of legitimate-but-abused and bulletproof hosters is a problem that exists in any country that is a nexus of internet hosting. Therefore, this talk is of particular relevance and interest to The Netherlands, which hosts the Amsterdam Internet Exchange and is home to major hosting infrastructures.

Hosters are leveraged for a variety of criminal operations. We see

    C2 servers
    Credit card dump shops
    Sites like AV check for criminals to test new programs

These activities may be set up on shared servers – hosting content alongside other businesses as well or through dedicated machines that the criminals administer. And the abuse is significant, despite efforts from registrars, LE, and researchers to combat the problem. The challenge is similar to ideas like: criminals abuse encryption, but we cannot get rid of encryption. How do we manage it?

Focusing threat intelligence efforts on these services and the actors that provide them is an important step to identifying and removing illegal and malicious content on the Internet. We bring together threat intelligence from the network and field to shed light on criminal hosting providers’ methods.

Our work leverages the standard cyber threat intelligence cycle, involving:

    Identifying organizational stakeholders (and their roles/responsibilities)
    Processing and exploitation
    Analysis and production

Given that the Netherlands is a major country in terms of IT infrastructure and internet transit, we wanted to focus on the Dutch hosting space, collect hosting providers’ domains and IP ranges using large-scale threat intelligence collection techniques. The Dutch fast and stable Internet connections and good services attract not only bona fide parties, but also less bona fide parties. Dutch ICT facilities have been used for distributing malware, hosting child pornography, sending phishing and spam messages as well as housing of illegal hacker forums and temporarily storing stolen data in drop zones in Dutch rogue hosting companies.

The challenge of addressing abused hosting providers requires a multi-layered approach, working from the tactical to the strategic level. We investigate solutions for a variety of stakeholders across these levels (government policy makers at the strategic level, law enforcement at the operational level, and technical teams that secure and defend networks at the tactical level.

From a technical perspective we use proven threat intelligence collection, analysis and correlation techniques to shed light on behaviors and patterns of bulletproof and anonymous offshore hosting.

Dr. Dhia Mahjoub is the Head of Security Research at Cisco Umbrella (OpenDNS). He leads the core research team focused on large scale threat detection and threat intelligence and advises on R&D Strategy. Dhia has a background in networks and security, has co-authored patents with OpenDNS and holds a PhD in graph algorithms applied on Wireless Sensor Networks’ problems. He regularly works with prospects and customers and speaks at conferences worldwide including Black Hat, Defcon, Virus Bulletin, FloCon, Kaspersky SAS, Infosecurity Europe, RSA, Usenix Enigma, NCSC One Conference, O’Reilly Security, and FIRST/OASIS Borderless Cyber and Technical Symposium.


Sarah Brown has conducted research into bulletproof hosting providers as an independent side project. She currently works as a Senior Scientist at the NATO Communications and Information (NCI) Agency in The Hague, NL, on cyber security capability development for NATO. She has a particular interest in cyber threat intelligence. Prior to NATO, Sarah worked at Fox-IT, delivering threat information to banks globally and leading the transformation of content into the standardized formats such as STIX. Sarah worked for nine years at MITRE. She has spoken at RSA, FIRST, WISCS, CyCON, ACSC, and the NCSC One Conference. She holds a MA in Math from the University of Maryland, College Park.