6 August 2018
Summary
During the 4th of August 2018, two several media outlets of Azerbaijan received denial of service attacks: gununsesi.info and azadliq.info. The attack technique and signature was not new but the infrastructure that supported the floodings had some very specific characteristics.
Our investigation traced back the attack to a Proxy Service known as fineproxy.org, registered in the name of QualityNetwork OÜ in Estonia. This report explains how the owner of the service fakes the geolocation information of the network that host the proxies and facilitates the use of his service for network abuses as the launching of denial of service attacks.
Region40 – A commercial proxy network to run DDOS attacks as a service
Starting the 4th of August at 16:30 PM and for the period of 2h and 30 minutes, we received an application layer denial of service attack targeting the website Azadliq.info.
A typical request looked like this:
GET /?s=81371365638 HTTP/1.1 Host: www.azadliq.info Accept-Encoding: gzip, deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A Referer: https://www.yandex.ru/search/?text=en
The attack that targeted the “Search” functionality of the website, aimed to bypass our mitigation by performing slow but simultaneous searches from 5500 IP addresses. This attack is not new to us but this specific botnet has some interesting features worth exposing.
Geo-spoofing tricks to fool mitigation
One very interesting feature of this botnet is that it spoofes the geo location information of the network prefixes to fool geo location mitigation techniques.
The botnet uses a total of 50 different countries being the most common ones: RU, UA, GB, DE, CH, CZ, US and NL
For example only AS200557 Region40 alone accounts for 46 of those spoofed countries.
How is this done in practice? The owner or leaser of the IP space, creates objects with fake geolocation information in RIPE (that are later on used by Whois or geolocation databases like Maxmind). By faking the location, the IP owners of the infrastructure claim to have “global presence” when in fact most of the announced prefixes are in very few data centers.
Update: 6th August 2018
A detailed breakdown of all the prefixes, their upstreams paths and fake geo-locations is now available to download [ fineproxy_bogusgeo ]
The following graphs shows how many IP addresses were used per /24 during the attack.
Bogus info in /25 objects
Let us take for example the prefix
.0/24 were a total of 14 IPs were used in the attack. These range belongs to depo40.ru and associated to “Depo Data Center Kaluga”.A inetnum object was created in RIPE that looks as follows:
inetnum: 93.179.91.0 – 93.179.91.127
netname: FloridaNet
descr: Orlando Network
country: US
admin-c: GS19550-RIPE
tech-c: GS19550-RIPE
status: ASSIGNED PA
mnt-by: QNSC
created: 2015-05-03T19:26:47Z
last-modified: 2017-07-31T18:54:41Z
source: RIPE
The first /25 of this network is described as Orlando Network in Florida. Routing suggests that is in Moscow. The second /25 is described as in Russia.
inetnum: 93.179.91.128 – 93.179.91.255
netname: QUALYTYNETWORK
country: RU
admin-c: GS19550-RIPE
tech-c: GS19550-RIPE
status: ASSIGNED PA
mnt-by: QNSC
created: 2017-07-31T18:27:12Z
last-modified: 2017-07-31T18:28:21Z
source: RIPE
This double allocation of /25 prefixes is common in fineproxy.org
Latency talks to us too
A list of prefixes and latencies from Sweden is available fineproxy_ping2
Latency values are consistent with the ASPATHs and possible data centers. With the exception of networks announced from the USA (Las Vegas and LAX) latencies are pretty constant and shows how the country: filed is abused.
Where is Region40 LLC –
?We looked into our borders routers to find out which providers were upstreaming the traffic of the botnet. We dumped the different routing tables as the attack was taking place and looked where the attack was coming from i.e. which providers were routing the traffic toward our servers.
We found out that all prefixes of AS200557 Region40 LLC were routed by ROSTELECOM AS12389 or MEGAFON AS50896
This information matches what we found out checking Hurricane Electric Internet Services
Who is UGB Hosting – AS206485?
We also identified what it seems a new infrastructure of Region40 in Estonia. This new provider UGB Hosting OU seems to announce ten /23 prefixes of Region40 aka QualityNetwork OÜ used during the attacks. The traffic is routed upstreams via Telia in Estonia.
organisation: ORG-QA109-RIPE
org-name: QualityNetwork
org-type: OTHER
address: Estonia pst 5-309B
address: 10143 Tallinn
address: Estonia
abuse-c: ACRO16298-RIPE
mnt-ref: IPADDRESS-RU
mnt-by: IPADDRESS-RU
created: 2018-05-22T11:39:03Z
last-modified: 2018-05-22T11:39:03Z
source: RIPE # Filtered
person: Andrus Raud
address: QualityNetwork
address: Estonia pst 5-309B
address: 10143 Tallinn
address: Estonia
phone: +372 8807849
nic-hdl: AR45801-RIPE
mnt-by: IPADDRESS-RU
created: 2018-03-30T17:39:57Z
last-modified: 2018-03-30T17:39:57Z
source: RIPE
% Information related to ‘185.252.186.0/23AS206485’
route: 185.252.186.0/23
origin: AS206485
mnt-by: ee-ugb-1-mnt
created: 2018-04-06T06:13:03Z
last-modified: 2018-04-06T06:13:03Z
source: RIPE
If we look for example for the prefix 185.252.186.0/24 we can see it is reported as in country “France”. Latency values from this network are < 10 ms from Sweden and routing information points that this network is in fact in Estonia.
inetnum: 185.252.186.0 – 185.252.187.255
netname: FR-QN-20180330
country: FR
org: ORG-QA109-RIPE
admin-c: AR45801-RIPE
tech-c: AR45801-RIPE
status: ASSIGNED PA
mnt-by: IPADDRESS-RU
mnt-routes: ee-ugb-1-mnt
created: 2018-03-30T17:46:34Z
last-modified: 2018-05-22T12:03:15Z
source: RIPE
fineproxy.org – A proxy network as a service
Conclusions
- Attribution: It is difficult to know who might be paying to build the attacks, but minutes before the attack started someone from Azerbaijan hiding behind “Browsec VPN” performed a few test queries in the “Search” of the site. 🙂
- Attack Infrastructure: The attack infrastructure was provided by QualityNetworks OÜ in Estonia, owned by Trusov Ilya Igorevych, a 33 years old Russian with a company registered in Estonia. Ilya aka iluxa85 provides the service finevpn.org that provides thousands of proxy IPs for rent. He operated servers from his “Kaluga Data Center Depo” until he added more locations, prefixes (from ipaddress.ru) and rented servers at Global Layer and GigeNET.
- The fake geo data: Finevpn.org aka Region40, Depo40, QualityNetworks, Trusov operates many prefixes from a data center of UGB Hosting in Estonia. These prefixes announced have also fake geolocation information in the RIPE objects.
- “Grey abuse handling”: In order to look like a “honest business operation”, QualityNetworks handles abuse cases with “strategic” business care… their clients, that can use several forms of “Anonymous Payments”, will enjoy enough Proxy network uptime to perform their attacks before their accounts are locked when abuse is reported. For example, an attacker performing 10K connections per second against a given site, will not be stopped immediately to ensure finevpn service remains in demand. For example, no destination rate control is in place.
Appendix
User-Agent and Referers
Referers
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0) Opera 12.14
Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko ) Version/5.1 Mobile/9B176 Safari/7534.48.3
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.1 Safari/537.36
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10; rv:33.0) Gecko/20100101 Firefox/33.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/537.13+ (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; de-at) AppleWebKit/533.21.1 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2224.3 Safari/537.36
Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0
Mozilla/5.0 (Windows NT 6.0; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.14
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.0) Gecko/20100101 Firefox/29.0
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20130401 Firefox/31.0
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1
Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2225.0 Safari/537.36
Mozilla/5.0 (Windows NT 6.4; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2225.0 Safari/537.36
Mozilla/5.0 (X11; Linux i586; rv:31.0) Gecko/20100101 Firefox/31.0
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
Mozilla/5.0 (X11; OpenBSD amd64; rv:28.0) Gecko/20100101 Firefox/28.0
Opera/12.80 (Windows NT 5.1; U; en) Presto/2.10.289 Version/12.02
Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14
Opera/9.80 (X11; Linux i686; Ubuntu/14.10) Presto/2.12.388 Version/12.16
Abuse e-mails