Azerbaijan and the fineproxy DIY DDOS service (Region40 / QualityNetwork)


Summary

During the 4th of August 2018, two several media outlets of Azerbaijan received denial of service attacks: gununsesi.info and azadliq.info. The attack technique and signature was not new but the infrastructure that supported the floodings had some very specific characteristics.

Our investigation traced back the attack to a Proxy Service known as fineproxy.org, registered in the name of QualityNetwork OÜ in Estonia. This report explains how the owner of the service fakes the geolocation information of the network that host the proxies and facilitates the use of his service for network abuses as the launching of denial of service attacks.

Region40 – A commercial proxy network to run DDOS attacks as a service

Starting the 4th of August at 16:30 PM and for the period of 2h and 30 minutes, we received an application layer denial of service attack targeting the website Azadliq.info.

A typical request looked like this:

GET /?s=81371365638 HTTP/1.1
Host: www.azadliq.info
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
Referer: https://www.yandex.ru/search/?text=en

The attack that targeted the “Search” functionality of the website, aimed to bypass our mitigation by performing slow but simultaneous searches from 5500 IP addresses. This attack is not new to us but this specific botnet has some interesting features worth exposing.

The botnet used 134 /24 network prefixes allocated to a very few providers (Autonomous Systems).
AS200557 Region40 LLC aka Quality Network
AS50896 Trusov Ilya Igorevych aka iluxa85
AS21299 2DAY Telecom LLP (old Maxmind record, now announced by GlobalLayer)
AS49453 Global Layer B.V.
AS57172 Global Layer B.V.
AS32181 GigeNET
AS206485 UGB (upstream Telia, announcing QualityNetwork OÜ space)

Geo-spoofing tricks to fool mitigation

One very interesting feature of this botnet is that it spoofes the geo location information of the network prefixes to fool geo location mitigation techniques.

The botnet uses a total of 50 different countries being the most common ones: RU, UA, GB, DE, CH, CZ, US and NL

For example only AS200557 Region40 alone accounts for 46 of those spoofed countries.

How is this done in practice? The owner or leaser of the IP space, creates objects with fake geolocation information in RIPE (that are later on used by Whois or geolocation databases like Maxmind). By faking the location, the IP owners of the infrastructure claim to have “global presence” when in fact most of the announced prefixes are in very few data centers.

 

Update: 6th August 2018

 

A detailed breakdown of all the prefixes, their upstreams paths and fake geo-locations is now available to download [ fineproxy_bogusgeo ]

The following graphs shows how many IP addresses were used per /24 during the attack.

Bogus info in /25 objects

Let us take for example the prefix 93.179.91.0/24 were a total of 14 IPs were used in the attack.  These range belongs to depo40.ru and associated to “Depo Data Center Kaluga”.

A inetnum object was created in RIPE that looks as follows:

inetnum: 93.179.91.0 – 93.179.91.127
netname: FloridaNet
descr: Orlando Network
country: US
admin-c: GS19550-RIPE
tech-c: GS19550-RIPE
status: ASSIGNED PA
mnt-by: QNSC
created: 2015-05-03T19:26:47Z
last-modified: 2017-07-31T18:54:41Z
source: RIPE

The first /25 of this network is described as Orlando Network in Florida. Routing suggests that is in Moscow. The second /25 is described as in Russia.

inetnum: 93.179.91.128 – 93.179.91.255
netname: QUALYTYNETWORK
country: RU
admin-c: GS19550-RIPE
tech-c: GS19550-RIPE
status: ASSIGNED PA
mnt-by: QNSC
created: 2017-07-31T18:27:12Z
last-modified: 2017-07-31T18:28:21Z
source: RIPE

This double allocation of /25 prefixes is common in fineproxy.org

 

Latency talks to us too

A list of prefixes and latencies from Sweden is available fineproxy_ping2

Latency values are consistent with the ASPATHs and possible data centers. With the exception of networks announced from the USA (Las Vegas and LAX) latencies are pretty constant and shows how the country: filed is abused.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Where is Region40 LLC – AS200557 ?

We looked into our borders routers to find out which providers were upstreaming the traffic of the botnet. We dumped the different routing tables as the attack was taking place and looked where the attack was coming from i.e. which providers were routing the traffic toward our servers.

We found out that all prefixes of AS200557 Region40 LLC were routed by ROSTELECOM AS12389 or MEGAFON AS50896

This information matches what we found out checking Hurricane Electric Internet Services

Who is UGB Hosting – AS206485?

 

We also identified what it seems a new infrastructure of Region40 in Estonia. This new provider UGB Hosting OU seems to announce ten /23 prefixes of Region40 aka QualityNetwork OÜ used during the attacks. The traffic is routed upstreams via Telia in Estonia.

 

organisation: ORG-QA109-RIPE
org-name: QualityNetwork
org-type: OTHER
address: Estonia pst 5-309B
address: 10143 Tallinn
address: Estonia
abuse-c: ACRO16298-RIPE
mnt-ref: IPADDRESS-RU
mnt-by: IPADDRESS-RU
created: 2018-05-22T11:39:03Z
last-modified: 2018-05-22T11:39:03Z
source: RIPE # Filtered

person: Andrus Raud
address: QualityNetwork
address: Estonia pst 5-309B
address: 10143 Tallinn
address: Estonia
phone: +372 8807849
nic-hdl: AR45801-RIPE
mnt-by: IPADDRESS-RU
created: 2018-03-30T17:39:57Z
last-modified: 2018-03-30T17:39:57Z
source: RIPE

% Information related to ‘185.252.186.0/23AS206485’

route: 185.252.186.0/23
origin: AS206485
mnt-by: ee-ugb-1-mnt
created: 2018-04-06T06:13:03Z
last-modified: 2018-04-06T06:13:03Z
source: RIPE

If we look for example for the prefix 185.252.186.0/24 we can see it is reported as in country “France”.  Latency values from this network are < 10 ms from Sweden and routing information points that this network is in fact in Estonia.

inetnum: 185.252.186.0 – 185.252.187.255
netname: FR-QN-20180330
country: FR
org: ORG-QA109-RIPE
admin-c: AR45801-RIPE
tech-c: AR45801-RIPE
status: ASSIGNED PA
mnt-by: IPADDRESS-RU
mnt-routes: ee-ugb-1-mnt
created: 2018-03-30T17:46:34Z
last-modified: 2018-05-22T12:03:15Z
source: RIPE

 

All these networks seems to be operated by Trusov Ilya Igorevych that recently opened the company QualityNetwork OU in Estonia
Checking the domains associated to Ilia Trusov emal account iluxa85@inbox[.]ru we found the domain billingproxy.ru (Thanks RiskIQ!)
Iluxa85 (33) can be found in discussion forums promoting finevpn.org and that gaves one more hint of what those pools of IP were used for.
In the same server that finevpn.org (198.211.121.105) was hosted we can find other domains that sell access to pools of proxy servers as: fineproxy.org, buy.fineproxy.org, best-proxy.ru or fineproxy.ru
Other domains that iluxa85 run in the past include: depo40.ru

fineproxy.org  – A proxy network as a service

 

When placing an order we could confirm that fineproxy.org runs associated to QualityNetwork OU in Estonia.

Conclusions

  • Attribution: It is difficult to know who might be paying to build the attacks, but minutes before the attack started someone from Azerbaijan hiding behind “Browsec VPN” performed a few test queries in the “Search” of the site. 🙂
  • Attack Infrastructure: The attack infrastructure was provided by QualityNetworks OÜ in Estonia, owned by Trusov Ilya Igorevych, a 33 years old Russian with a company registered in Estonia. Ilya aka iluxa85 provides the service finevpn.org that provides thousands of proxy IPs for rent. He operated servers from his “Kaluga Data Center Depo” until he added more locations, prefixes (from ipaddress.ru) and rented servers at Global Layer and GigeNET.
  • The fake geo data: Finevpn.org aka Region40, Depo40, QualityNetworks, Trusov operates many prefixes from a data center of UGB Hosting in Estonia. These prefixes announced have also fake geolocation information in the RIPE objects.
  • “Grey abuse handling”: In order to look like a “honest business operation”, QualityNetworks handles abuse cases with “strategic” business care… their clients, that can use several forms of “Anonymous Payments”, will enjoy enough Proxy network uptime to perform their attacks before their accounts are locked when abuse is reported.  For example, an attacker performing 10K connections per second against a given site, will not be stopped immediately to ensure finevpn service remains in demand. For example, no destination rate control is in place.

 

Update 8th August 2017
We finally got the time to review all the logs and these are our findings:
  • Hours before the attack against azadliq.info, the attackers used the VPN “Browsec-VPN-Free-and-Unlimited-VPN” to run some “Search” test queries against the website gununsesi.info
  • The attackers used different proxy VPS hosted in Digital Ocean that routed the traffic of Browsec. We download the VPN and confirmed that those IPs are using the domain: lunrac.com
  • The attackers are running the attacks from the 31.170.236.0/22 network that host several government institutions including the “Special State Protection Service”
  • The attackers hide behind a Fortinet device that protects their network.
  • The attack was possible thanks to the infrastructure provided from fineproxy.org

Appendix

User-Agent and Referers

Referers

https://search.yahoo.com/search?p=en&ei=UTF-8
https://www.yandex.ru/search/?text=en
User Agents

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0) Opera 12.14
Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko ) Version/5.1 Mobile/9B176 Safari/7534.48.3
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.1 Safari/537.36
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10; rv:33.0) Gecko/20100101 Firefox/33.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/537.13+ (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; de-at) AppleWebKit/533.21.1 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2224.3 Safari/537.36
Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0
Mozilla/5.0 (Windows NT 6.0; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.14
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/29.0
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20130401 Firefox/31.0
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1
Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2225.0 Safari/537.36
Mozilla/5.0 (Windows NT 6.4; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2225.0 Safari/537.36
Mozilla/5.0 (X11; Linux i586; rv:31.0) Gecko/20100101 Firefox/31.0
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
Mozilla/5.0 (X11; OpenBSD amd64; rv:28.0) Gecko/20100101 Firefox/28.0
Opera/12.80 (Windows NT 5.1; U; en) Presto/2.10.289 Version/12.02
Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14
Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16

 

Abuse e-mails

abuse@quality-network.eu
abuse@atomohost.com
abuse@pinspb.ru
info@leadertelecom.ru
abuse@qualytynetwork.tech