Volatile networks as a source of Denial of Service

19 September 2023

– How to use expendable IP networks to conduct DDoS attacks

Denial of service attacks and web scraping services share a common requirement, the access to large number of IP addresses to bypass detection. When IP addresses are known to conduct malicious activities, providers include them in the filters to build their firewall defenses and block them.

Access to new and clean IP addresses is key to avoid detection that is largely based on historical threat intelligence data, also known as the “IP reputation”.

This report shows how Qurium discovered dozens of these “clean networks” and how they were used to launch DDoS attacks against Nacionale (Kosovo), Somali Journalist Syndicate (Somalia) and Turkmen News (Turkmenistan) during August 2023.

But most importantly, this report shows how very little is done to stop this form of abuse and hundreds of volatile networks are traded without proper abuse remediation.

IXPO – the common denominator

Qurium’s report RayoByte infrastructure enabling DDoS attacks revealed that a large part of the attack traffic originating from Sprious LLC, and the report Infrastructure of VPN providers is used to launch DDoS attacks fingerprinted other parts of the attack to VPN providers. This report focused on the remaining part of the attack traffic.

During the investigation Qurium has studied the most active network prefixes with special focus on their upstream providers.

When looking into the /24A /24 network implies 254 usable IP addresses. network prefixes using common Geo-location databases such as MaxMind, they all seemed to originated from different ASNs. However, when analyzing their upstream providers we found out that they had a common location: AS19437 Secure Servers / PhonenixNAP.

All those prefixes that seemed to originate from different autonomous systems (AS) were in fact originated from one single data center in Ashburn, Virginia.

The dozens of network prefixes that participated in the attack did not just have in common that were routed by SECURED SERVERS LLC (dba PhoenixNAP, CCbill) from a single physical location, but also that they were leased from one single entity, namely IPXO. We found the common denominator.

Understanding the traffic floods – moving prefixes

To understand the nature of the Denial of service originated from these prefixes associated with PhoenixNAP and IPXO, it was key to understand their “online volatility”. These prefixes are moving between different upstream providers and they are just active for a few months.

The next two examples show how the prefixes 104.234.213.0/24 and 50.114.83.0/24 are changing upstream providers constantly to finally land to AS19437, PhoenixNAP.

We looked into historical data of BGP announcements of each of the 32 prefixes that were identified in the attack and they exhibit similar patterns: the prefixes are all announced by a few upstream providers during brief periods of time. The networks are constantly on the move and leased out for a few weeks or months at a time.

So what is going on? Let us put all pieces of the puzzle together.

1. 32 prefixes are used to launch denial of service attacks against several media sites that we host.
2. The network prefixes flood the victims using more than 75% of the IPs available in the /24 networks. Hence, the networks seem to be fully dedicated to conduct DDoS attacks.
3. The network prefixes do not host any public visible services (only SSH port is exposed to the public)
4. All the prefixes seem to originate from different entities but share a common data center.
5. IPXO acts as a broker for all these leased networks.
6. Whois data does not provide details of who runs these networks and the abuse contact is IPXO.
7. During the attack, PhoenixNAP announced the prefixes using their AS19437 from one data center in Ashburn, Virginia.
8. The history of the prefixes show that they are very volatile in the routing table and upstream providers change after a few months.

The “Bring Your Own IP” (BYOIP) DDOS engine

To illustrate what we mean by “volatility of network prefixes”, let us take another look into the prefix 191.96.32.0/24 that during the last year attacked several of our hosted organizations. We have observed 192 IP addresses of this network flooding several of our sites.

A visual representation of how the prefix changed upstream provider can be seen in the graph below.

The attacks from this prefix alone started the 2023-06-29 and have been active until the 2023-08-23 (2 months) just after the prefix was first announced by AS19437, belonging to PhoenixNAP.

Checking the WHOIS record updated by IPXO shows this bogus information

organisation: ORG-AL972-RIPE
org-name: Private Customer
org-type: OTHER
remarks: End User Organization
address: Private Residence
country: US
abuse-c: AL19543-RIPE
mnt-ref: IPXO-MNT
mnt-by: IPXO-MNT
created: 2023-06-01T11:16:29Z
last-modified: 2023-06-16T10:35:30Z
source: RIPE # Filtered

In a nutshell, we have found a model where an attacker can obtain expendable IPs from IPXO and announce them from PhoenixNAP to conduct denial of service or other forms of attacks.

Welcome to the world of expendable and unaccountable IP space!

Abuse handling – or the lack of such

Once we understood that the IP addresses involved in the attack had been leased by IPXO and announced from a PhoenixNAP Datacenter, we reach out to the involved parties to report the case.

In the end of August and early September 2023, Qurium mailed IPXO, PhoenixNAP and all the abuse contact details that we could find associated to the 32 network prefixes involved in the attacks.

1. PhoenixNAP

After one week and three email attempts we finally got a a response from PhoenixNAP. Their response was:

"we have forwarded your complaint to the costumer"

After several emails exchanged with PhoenixNAP, requesting an action to stop their customer conducting DDoS, their responses were:

"All these prefixes are not owned by PhoenixNAP, just announced by us so that would be the reason of inconsistent Whois information as the subnet owner"

"While PhoenixNAP/Secured Servers provide various types of hosting services, in this specific case this is correct, Client's servers are hosted on BMC machines in ASH."

"As it has been mentioned in previous email, if these attacks are continued, we will take all necessary measures to stop them."

"Client responsible for those subnets replied to our complaint on September 1st, stating that all of this has been caused by misconfiguration from one of his customers"

2. IPXO

On the 2nd and 7th of September 2023, we reached out to IPXO by email explaining about the attacks and the misleading WHOIS information. On the evening of the 7th of September we received the first response from “Jonas B” (Jonas Bitkevičius?) at IPXO.

We appreciate the report and we are reaching out to the customer to have them investigate the incident.

Meanwhile, we also tried to activate our account inside the IPXO Costumer Support without luck.

On September 8th, IPXO responded to our mails and stated that the problem was a mis-configuration in the client web-scraping services. When asked about the wrong WHOIS data, IPXO indicated that they have problems to update the information as their tools to do this task are under development.

The client in question is providing web-scraping services and we have a suspicion that their scraper could be faulty and that may have caused a false positive of "malicious activity" that you are noticing but we have yet to confirm this with the client themselves.

Regarding WHOIS, currently are unable to pro-actively update the prefix records as our WHOIS updating tools are in development and will be deployed as soon as they are ready, meanwhile our information is provided instead, updating each entry manually could potentially cause more mess and we would like to avoid that.

Despite that IPXO is fully aware that DDoS attacks have been conducted from the networks they leased out, the networks remain with no information about their customer and the leasing service has not been terminated.

The DDoS recipe

As a result of our forensic investigation, this is how we believe that the DDoS service inside PhoenixNAP is functioning.

1. The attacker obtains 32 “/24” networks from IPXO using a “Ghost company”
2. IPXO provides the attacker with a “Letter of Authorization” so the prefixes can be announced elsewhere
3. IPXO takes care of “non updating” the WHOIS database so that the real details of the attacker remain unknown.
4. The network prefixes are brought to PhoenixNAP (a partner of IPXO) to their Bare Metal Cloud Product (BMC)
5. The network prefixes are announced in the middle of April 2023 from PhoenixNAP datacenter in Ashburn.
6. Four dedicated machines were configured in the BMC announcing eight prefixes per each of the four machines
7. Each of the BMC machines have a total of 2048 IP addresses available to conduct denial of service attacks.
8. The attacker uses this setup in combination with Rayobyte Proxies and VPNs to build a larger DDoS infrastructure.

The following summary shows the networks allocated to each of the four BMC machines and the first time that the prefixes where announced from PhoenixNAP.

After a few more interactions with PhoenixNAP where Qurium in detail explained how we reached the conclusion that the attacker has its servers hosted in their Bare Metal Cloud (BMC) infrastructure, they finally acknowledged that one single customer operated these prefixes in their premises.

Despite that PhoenixNAP is fully aware that DDoS attacks have been conducted from their infrastructure, the customer account has not been terminated and no further action has been taken.

The company behind the prefixes

Although the 32 network prefixes did not have references to the “customer” that is operating them, routing information from Level3, that provides connectivity to PhoenixNAP, gave us a hint of who might be operating the setup.

The information we found suggest that the prefixes where transferred to IPXO on the 14 April 2023 and routing objects in Level3 were created by PhoenixNAP the 27th of April in the name of “AliatData”

Each of the network prefixes have a route object that looks like:

route 91.246.59.0/24
descr AliatData
origin AS19437
mnt-by PHOENIXNAP-MNT
changed zorans@phoenixnap.com 20230428
source LEVEL3

The company has a simple website registered the 22nd of February 2023 and with a contact address in a “UPS Store” in Las Vegas.

Aliat LLC .3315 E. Russell Rd. Ste A-4 #334 Las Vegas, NV 89120 USA.

When looking at the company information of Aliat LLC, we found a company registered in Wyoming in August 2022 through an “agent firm” with no visible owners.

Conclusion

Our investigation shows how a ghost-company “Aliat LLC” registered in Sheridan, Wyoming was able to obtain network resources that were weaponized to conduct denial of service attacks.

The network resources were leased from IPXO in April 2023 and are still announced from a PhoenixNAP datacenter in Ashburn, USA.

At the time of this writing neither IPXO, nor PhoenixNAP has taken any action against their customer.

Appendix

To enable further research we provide the list of prefixes associated with IPXO and the DDoS attacks as well as their latest upstream announcements.

Network prefixes advertised by PhoenixNAP involved in the denial of service attack. These “Clean Prefixes” had very little history of malicious activity.

AS19437, 103.47.58.0/24, SECURED SERVERS LLC. IPXO, IPXO
AS19437, 104.234.213.0/24, SECURED SERVERS LLC. IPXO LLC, IPXO-104-234-208-0-21
AS19437, 108.165.133.0/24, SECURED SERVERS LLC. IPXO LLC, IPXO
AS19437, 136.175.226.0/24, SECURED SERVERS LLC. IPXO LLC, WHITEHAT
AS19437, 140.228.31.0/24, SECURED SERVERS LLC. IPXO LLC, IPXO-140-228-16-0–20
AS19437, 14.102.235.0/24, SECURED SERVERS LLC. IPXO, IPXO
AS19437, 146.19.205.0/24, SECURED SERVERS LLC. LT-UABMS1-20211117, LT-UABMS1-20211117
AS19437, 157.254.226.0/24, SECURED SERVERS LLC. IPXO LLC, IPXO-157-254-224-0-22
AS19437, 166.0.105.0/24, SECURED SERVERS LLC. IPXO LLC, 166-0-96-0-20
AS19437, 176.57.61.0/24, SECURED SERVERS LLC. IPXO, IPXO
AS19437, 181.215.139.0/24, SECURED SERVERS LLC. IPXO, IPXO
AS19437, 185.138.166.0/24, SECURED SERVERS LLC. NL-KRIEK-20210629, NL-KRIEK-20210629
AS19437, 191.96.38.0/24, SECURED SERVERS LLC. IPXO, IPXO
AS19437, 193.187.1.0/24, SECURED SERVERS LLC. IPXO LLC, IPXO
AS19437, 199.101.194.0/24, SECURED SERVERS LLC. IPXO LLC, NET-199-101-192-0
AS19437, 206.206.109.0/24, SECURED SERVERS LLC. IPXO LLC, IPXO
AS19437, 207.244.213.0/24, SECURED SERVERS LLC. Rockion LLC, RL-861
AS19437, 208.79.94.0/24, SECURED SERVERS LLC. ARP NETWORKS, INC., ARPNET
AS19437, 216.122.172.0/24, SECURED SERVERS LLC. IPXO LLC, IPXO-216-122-160-0-19
AS19437, 216.185.37.0/24, SECURED SERVERS LLC. IPXO LLC, HFD-32
AS19437, 216.24.214.0/24, SECURED SERVERS LLC. Rockion LLC, RL-861
AS19437, 23.26.102.0/24, SECURED SERVERS LLC. IPXO LLC, 23-26-96-0-19
AS19437, 45.143.163.0/24, SECURED SERVERS LLC. GRANT-IPXO2, GRANT-IPXO2
AS19437, 45.8.95.0/24, SECURED SERVERS LLC. IPXO-NET, IPXO-NET
AS19437, 46.226.124.0/24, SECURED SERVERS LLC. NL-KRIEK-20210805, NL-KRIEK-20210805
AS19437, 50.114.83.0/24, SECURED SERVERS LLC. Nova Networks, NOVA-NETWORKS
AS19437, 67.210.102.0/24, SECURED SERVERS LLC. IPXO LLC, IPXO
AS19437, 77.105.4.0/24, SECURED SERVERS LLC. Heficed, Heficed
AS19437, 84.32.40.0/24, SECURED SERVERS LLC. Sprint, Sprint
AS19437, 88.216.133.0/24, SECURED SERVERS LLC. IPXO, IPXO
AS19437, 89.117.66.0/24, SECURED SERVERS LLC. LT-LRTC-20060503, LT-LRTC-20060503
AS19437, 91.246.59.0/24, SECURED SERVERS LLC. NL-PROVIZOIP18-20211019

ASN used to park and lease prefixes

210277 IPXO IPXO LIMITED, GB
61317 ASDETUK Hivelocity Inc, US
61440 SENTRIGLOBAL LTD, BZ
834 IPXO, US