DDoS attacks against Hungarian media traced to proxy infrastructure “White Proxies”

2 November 2023

– Attacks enabled by a stack of rotten actors

During April- August 2023, more than 40 Hungarian media websites were targeted by waves of denial of service attacks which brought many of them offline. Nearly all of the targeted news sites had one thing in common – they were critical of the government of Prime Minister Viktor Orbán.

On 29 August, the International Press Institute (IPI) in Vienna published a report on the attacks, stressing that DDoS cyber attacks pose major new threat to media freedom in Hungary. Since no media outlet supportive of the ruling Fidesz party was targeted by the attacks, IPI indicated that the motive could be political or ideological.

A few days later, a wave of DDoS attacks against IPI started. The attacks lasted for several weeks and brought the website of IPI down for days. At the same time, attacks against some of the Hungarian media started again.

Qurium’s investigation is based on an analysis of traffic data provided by IPI and two Hungarian news media that came under DDoS attack. Based on our assessment, it is highly probable that the attacks on the other Hungarian media were carried out with this same attack infrastructure.

The investigation reveals how “White Proxies” (also known as White Solutions) a proxy infrastructure with unknown owners, was weaponized to operate a DDoS service used to target IPI and regime critical Hungarian media. Most importantly, the report illustrates how the companies that provide crucial services to White Proxies (Solutions) to operate its business, responded when we reached out to them.

Intermediaries in the proxy industry benefit financially from protecting their clients from abuse reporting. While these intermediaries let their clients operate malicious activities, such as DDoS attacks, in their networks or by using their IP space, they are accomplices to the crime.

A stack of attack enablers

The illustration below shows the stack of service providers that enables the DDoS attacks and the companies we have managed to trace to the attacks against Hungarian media. Let’s go through the stack from bottom to up.

Prefix resellers: Companies that resell IP space (IPv4 and IPv6) to proxy and VPN providers. The IP space is often leased for a short period of time, and returned after it has been part of malicious activities. Among the five resellers we identified, two of them (Access2.IT and SecureBit) are faking the Geo-location data of its IP space to make it more valuable on the market.

Hosting provider: Companies that operate data centers with upstream connections to global Internet backbone. A1 Network Exchange, owned by HostCam LLC (Bangladesh), is hosting the infrastructure of White Proxies (Solutions).

Proxy and VPN providers: Companies that offer access to a large set (millions) of IP addresses that are globally distributed in data center, compromised devices and mobile phones (residential proxies). There are often several proxy and VPN providers present in a DDoS attack (PP1-PP4) but this report focus only on White Proxy (Solutions) that was one of the providers involved in the Hungarian attack.

DDoS service: The service that orchestrates the DDoS attack and instructs each proxy and VPN provider on who to attack and how.

Targets: The targeted media websites receive large volume of traffic from thousands of IP addresses that are globally distributed and belong to proxy and VPN providers hosted with White Proxies (Solutions).

The needle in the haystack – a network

Every investigation starts with finding a needle in the haystack. A little piece of valuable information hidden in a large volume of traffic logs.

One of the networks that was active in the Denial of Service attacks against IPI and several Hungarian media on 8 September was 166.0.205{.}0/24. This is the needle of this investigation.

Traffic analysis made us suspect that this specific network block was acting as a “rotating proxy”. Information from Censys showed that the network hosted a proxy service in the IP address 166.0.205{.}2 powered by Squid/4.10.

A1 Networks Exchange Limited

The setup behind the floods consisted of a Proxmox Virtualization server operating a “rotating proxy service”. The network prefix was leased from IPXO and was announced by AS51082, A1 Networks Exchange Limited during the attacks.

The use of disposable networks

The fact that AS51082 (A1 Networks Exchange) is sourcing DDoS attacks is supported by the Cloudflare Radar project where the IPv4 network 166.0.205.0/24 already is flagged as DDoS (57.9%).

This information does not only show that AS51082 has been involved in DDoS in the past but remains conducting bot-related activities during the last week of September 2023.

Who runs A1 Network Exchange?

Shakib Khan, appears as the owner of A1 Network Exchange Limited, a hosting provider specialized in obtaining IP networks that are monetized by leasing them out to proxy providers.

Mr. Khan is also connected with other companies that offer similar services, such as Etherdark Ltd, Intexon Ltd (AS59426) and HostCram LLC (AS39618).

organisation:   ORG-HA54-AP
org-name:       HostCram
org-type:       LIR
country:        BD
address:        Vitipara, Bhawal Rajabari, Sreepur
phone:          +8801851616193
e-mail:         network@hostcram.com
mnt-ref:        APNIC-HM
mnt-by:         APNIC-HM
last-modified:  2023-09-05T02:18:12Z
source:         APNIC

HostCram LLC, a Wyoming (US) registered company acts as the main legal entity leasing and advertising IP space.

The business model of Khan’s companies is to operate large pools of IP addresses (mostly IPv6) and offer them to proxy providers.

The IPv4 addresses operated by Khan involved in the attack have been sourced by IPXO’s leasing service.

Apart from announcing pools of IPv6 space via Tier 1 providers such as Cogent and Sprint Communications Inc., the geolocation of such large subnets have associated bogus geofeeds.

For example, the prefix 2602:fd92:b00::/40 operated by HostCram shows subnets present in almost every single country.

Yet another volatile prefix

As we have seen in previous denial of service attacks routed by (residential) proxies, the network prefixes involved are used by proxy providers during a few months until they get returned to IP brokers like IPXO.

This is also the case for the prefix 166.0.205{.}0/24 that was involved in the attacks against IPI and other Qurium hosted organization non related to Hungary.

As in the case of Aliat Data’s denial of service, the prefix was first announced by several Turkish providers until it finally arrived to IPXO that leased it out to A1NX.

AS1239   , SPRINTLINK, US
AS49999  , BANDWIDTHTECH-AS Hydra Communications Ltd, GB
AS207633 , NOSSPEED KADIR HUSEYIN TEZCAN NOSSPEED INTERNET TEKNOLOJILERI, TR
AS207459 , AS-TEKNOSOS-INT TEKNOSOS BILISIM HIZMETLERI VE TIC. LTD. STI., TR
AS61317  , ASDETUK Hivelocity Inc, US
AS207279 , MARKAHOST-TELEKOMUNIKASYON-LIMITED-SIRKETI MARKAHOST 
           TELEKOMUNIKASYON VE TICARET LIMITED SIRKETI, TR
AS51722  , TEKNOSOS TEKNOSOS BILISIM HIZMETLERI VE TIC. LTD. STI., TR
AS204843 , TR-STERLY_VERI_MERKEZI_YAZILIM_VE_SIBER_GUVENLIK_HIZMETLERI_ANONIM_SIRKETI
           STERLY VERI MERKEZI YAZILIM VE SIBER GUVENLIK HIZMETLERI A.S., TR
AS834    , IPXO, US
AS51082  , A1NX A1 NETWORK EXCHANGE LIMITED, GB

Proxy provider operating in A1NX

When Qurium reached out to Shakib Khan to ask about the proxy provider that runs in his A1 Network Exchange (A1NX) he refused to share the information. Unfortunately for Mr. Khan, the historical data of his organization “ORG-ANEL1-RIPE” provides us with several clues of where he obtained his network resources and which proxy providers have run in his infrastructure in the past.

The attribute mnt-ref in a RIPE Database object provides a set of authorization tokens used for creating references to his organization. This means in practice that, A1NX allows other entities to refer to A1NX as part of an IP assignment.

In 2021 the virtual Internet Exchange SecureBit/4b42 UG (CH/DE) was allowed to use the object ORG-ANEL1-RIPE. Soon after, another organization was authorized to use the organisation object: VPLAB-MNT.

organisation: ORG-ANEL1-RIPE
org-name: A1 NETWORK EXCHANGE LIMITED
country: GB
org-type: OTHER
address: 27 Old Gloucester Street, London, United Kingdom, WC1N 3AX
abuse-c: ACRO42319-RIPE
mnt-ref: A1NX-MNT
mnt-ref: CLOUDIE-MNT              <--- Cloudie (IPv6 space)
mnt-ref: SBMT                     <--- SecureBit (IPv6 space)
mnt-ref: VPLAB-MNT                <--- VPLAB (IPv4 space)
mnt-by: A1NX-MNT
created: 2021-07-15T14:52:07Z
last-modified: 2023-06-29T19:18:03Z
source: RIPE # Filtered

# Historical records of mnt-ref for organization A1NX: ORG-ANEL1-RIPE#

A1NX-MNT                                                 2021-07-15T14:52:07Z
A1NX-MNT SBMT                                            2021-07-15T14:59:56Z
A1NX-MNT VPLAB-MNT                                       2021-11-17T12:52:24Z
A1NX-MNT VPLAB-MNT                                       2022-10-31T14:52:16Z
A1NX-MNT VPLAB-MNT                                       2022-12-01T17:06:41Z
A1NX-MNT SBMT VPLAB-MNT                                  2023-03-08T22:10:14Z
A1NX-MNT SBMT CLOUDIE-MNT VPLAB-MNT                      2023-06-29T19:18:03Z

The IPv6 setup

After a few dags of investigation, we managed to trace several large pools of IPv6 addresses operated by A1NX and find where those addresses where leased from.

Several of those networks are associated to the an entity with the name “White Solutions“.

White Solutions (White Proxies) – a ghost company

This initial finding did not only reveal that a large part of the IPv6 subnets operated by A1NX/HostCram LLC were associated to the obscure entity “White Solutions” but also that the prefixes (currently advertised via USA upstream providers as Cogent or Sprint Communications) were using fake geolocation.

Furthermore, we discovered that providers like Access2.IT in the Netherlands, that leased out the prefix 2a0b:3c40:10::/48 also created fake geolocation entries on behalf of White Solutions.

Access2.IT was not the only provider engaged in leasing IPv6 space and faking its geolocation. Swiss provider SecureBit created the inet6num object that advertised the fake geofeed for 2a0e:97c0:290::/44 hosted in White Solutions one-page website.

inet6num: 2a0e:97c0:290::/44
netname: WhiteSolutions
descr: WhiteSolutions
country: EU
geofeed: https://whitesolutions.org/geofeed.csv
org: ORG-ANEL1-RIPE
admin-c: SBAC-RIPE
tech-c: SBTC-RIPE
status: ALLOCATED-BY-LIR
mnt-by: SBMT
mnt-lower: SBMT               <-- SecureBit Allocation to "White Solutions"
mnt-routes: A1NX-MNT
mnt-domains: SBMT
created: 2021-03-18T21:04:28Z
last-modified: 2023-03-28T23:38:22Z
source: RIPE

It is our understanding that White Solutions website is used by A1NX to populate bogus geolocations of several large pools of IPv6 addresses.

What is White Solutions?

Several clues in the A1NX/HostCram LLC setup helped us to identify the proxy provider that sourced the denial of service attacks

• A proxy service was found at IP address 166.0.205{.}2 (Ports 27007 to 27011) that returned the string: white-250
• The domain whitesolutions.org was used to advertise the geo-location of IPv6 addresses.
• The domain whitereseller.host resolved to whitesolutions.org
• The domain resi-v4.whiteproxies.com pointed to 166.0.205{.}2 hosted by A1NX/HostCram LLC.
• The domain resi-v4.whiteproxies.com points to 23.150.72{.}2 hosted by A1NX/HostCram LLC.
• The domain p.whiteproxies.com points to 195.26.7{.}10 hosted at Access2.IT Group B.V.
• Access2.IT Group B.V. provided IPv6 addresses to White Solutions and faked their geolocation
• A1NX/HostCram LLC runs a direct peering with AS212027 where p-sa.whiteproxies.com is hosted at 45.143.196{.}66

These traces of evidence strongly suggests that A1NX/HostCram LLC acts an infrastructure provider of White Proxies (Solutions) where Access2.IT Group B.V. is one of the key providers leasing IPv6 space to the proxy service provider.

The discord group of White Proxy Solutions was renamed to White Proxies.

Another piece of evidence was found in a promotional video of White Proxies where the IP address 2a0b:3c40:10:1981:c142:4cd1:c524:37e4 can be seen. The address is part of the IPv6 prefix 2a0b:3c40:10::/48 of Access2.IT Group B.V.

The promotional video explains how to use White Proxies to create multiple Spotify accounts.

Where is the infrastructure of White Proxies located?

A list of White Proxies (Solutions) infrastructure includes OVH, PebbleHost, Acess2.IT, A1NX and Cogent Communications.

4g.whiteproxies.com.      54.39.132{.}114 OVH
p-sa.whiteproxies.com.    45.143.196{.}66 PebbleHost
p.whiteproxies.com.       195.26.7{.}10 Access2.IT Network
resi-v4.whiteproxies.com. 166.0.205{.}2 A1NX-> ISTQSERVERS-AS
resi-v4.whiteproxies.com. 23.150.72{.}2 A1NX
resi-v4.whiteproxies.com. 54.39.132{.}114 OVH
v4.whiteproxies.com.      54.39.132{.}114 OVH
v6v2.whiteproxies.com.    23.237.118{.}66 Cogent Communications

The IPv4 setup with VPLAB

Apart from leasing IPv4 space from IPXO, A1NX did also obtain IP addresses from VPLAB in the past.

But who is VPLAB?

According to the company records in the UK, VPLAB (13576060) has been registered in the name of Aleksei Sysoev (Israel, 10/1981) since 2021-08-20. The company was originally registered in the name of Miss Betty Samia Mougal, a citizen of Seychelles until 2023-05-19 when the accounts were not filed.

According to the same records, Aleksei Sysoev’s contact address is one of the world’s “dodgiest addresses”, suite 2B on the second floor of 175 Darkes Lane, in Potters Bar, Hertfordshire. The 2B suite is the official home of more than 1,000 UK-registered companies, many of them set up for money laundry.

VPLAB is known to run the proxy service proxy007. To obtain large pools of IP addresses from RIPE, VPLAB registered a total of 23 LIRs during the period of a few months in 2021-2022.

lir-ru-chistakoval-1-MNT     2022-01-27T13:49:31Z
lir-ru-chistakovalud-1-MNT   2022-02-21T07:49:01Z
lir-ru-seapp-1-MNT           2022-01-27T15:13:30Z
lir-ru-seagg-1-MNT           2022-02-04T07:56:20Z
lir-ru-sysoev-1-MNT          2022-01-24T09:55:06Z
lir-ru-sysnikita-1-MNT       2022-02-04T07:53:46Z
lir-ru-siuge-1-MNT           2021-08-19T12:15:31Z
lir-ru-siugg-1-MNT           2022-02-10T09:51:36Z
lir-ru-siuru-1-MNT           2021-09-01T14:04:32Z
lir-uk-vplabuk-1-MNT         2021-09-17T08:48:14Z
lir-uk-vplab-1-MNT           2021-09-24T05:52:49Z
lir-uk-vplabltd-1-MNT        2021-10-01T12:38:18Z
lir-uk-vplabll-1-MNT         2021-10-12T08:05:12Z
lir-uk-vplabwww-1-MNT        2021-11-04T13:40:18Z
lir-uk-vplabht-1-MNT         2021-11-10T13:45:59Z
lir-uk-vplabmn-1-MNT         2021-11-15T11:07:21Z
lir-uk-vplabcc-1-MNT         2022-01-26T16:27:54Z
lir-uk-vplabgk-1-MNT         2022-01-31T07:49:06Z
lir-uk-vplabus-1-MNT         2022-02-09T08:30:45Z
lir-uk-vplaboo-1-MNT         2022-02-14T11:36:44Z
lir-uk-vplabee-1-MNT         2022-02-17T10:19:41Z
lir-uk-vplabln-1-MNT         2022-02-23T09:19:48Z
lir-uk-vplabdd-1-MNT         2022-02-28T11:10:36Z

For those investigating the role of proxies in Denial of Service attacks, it is worth checking where the IP space from VPLAB is currently advertised. Interesting enough, several of these ASNs are known to host several proxy providers. In the past two years, we have recorded dozens of Denial of Service attacks originated in several of these upstream providers.

14576 HOSTING-SOLUTIONS, US (king-servers, infantica)
200019 AlexHost ALEXHOST SRL, MD (fineproxy, trafficsolutions)
207713 GIR-AS GLOBAL INTERNET SOLUTIONS LLC, RU
26042 FIBERSTATE, US
35913 DEDIPATH-LLC, US
44477 STARK-INDUSTRIES STARK INDUSTRIES SOLUTIONS LTD, GB (aka. PQ.hosting)
51765 CREANOVA-AS Oy Crea Nova Hosting Solution Ltd, FI (fineproxy, trafficsolutions)
53356 FREE RANGE CLOUD, CA
62005 BV-EU-AS BlueVPS OU, EE
62240 Clouvider Clouvider Limited, GB (vpnconsumer, expressvpn)
16276 OVH OVH SAS, FR
174 COGENT-174, US

Several companies, tens of thousands of IP addresses

In Russia, the following companies have been registered in the name of Sysoev Aleksey Anatolevich and business partner Sysoeva Irina Yurevna: ООО “ПЕРВЫЙ ЦОД”, ООО “ВВТ”, ООО “ПАТИ-ХОЛЛ” and ООО “ВМАГЕ”.

All these entities have been used to obtain IP space that later on is managed by VPLAB LTD to operate proxy007

Heymman Servers – Oxylabs

One of the providers of IPv6 space to HostCram LLC is Heymman Servers, a Canadian registered hosting provider that has been providing access to bare metal servers in the Wholesale Internet datacenter and Joe’s Datacenter in Kansas since 2017. In the past years, Heymman servers seems to expand its business by obtaining IP space from ARIN and RIPE that later on has been leased to Code200 UAB, one of the legal entities used by proxy provider Oxylabs.

Heymman Servers also has close business relationships with Hostigger Inc (ngdatacenter{.}com) , a Delware company that runs services from Turkey. Hostigger/Hostiger runs several rogue hosting providers: greyhosting{.}net, rackdedicated{.}com, servermaxi{.}com, dedicatedloop{.}com, zerodedicated{.}com or servermaxi{.}com.

organisation: ORG-FDLT7-RIPE
org-name: Francis de Lasalle trading as Heymman Servers
org-type: LIR
address: 1353-3 rue Magellan
address: J1N 1V3
address: Sherbrooke
address: CANADA
e-mail: ripe-lir-7@heymman.com
admin-c: FDL270-RIPE
tech-c: FDL270-RIPE
abuse-c: AR44067-RIPE
mnt-ref: ca-heymman-7-1-mnt
mnt-by: RIPE-NCC-HM-MNT
mnt-by: ca-heymman-7-1-mnt
created: 2017-11-30T09:19:13Z
last-modified: 2017-11-30T09:19:16Z
source: RIPE
phone: +1 438 495 6967

The response to our abuse complaints

To investigate the attacks we reached out to all involved parties. Their response and actions are summarized below.

The Proxy provider

White Proxies / White Solutions: The residential proxy provider

White Proxies answered that they fully regretted that their infrastructure was used to conduct DDoS attacks and they were willing to implement mechanisms so the events would not happen again. When asked for a point of contact of their business or their legal status they stopped communicating.

The Infrastructure Supplier (hosting provider)

A1NX/HostCram (BD): The hosting and IP network supplier of White Proxies.

Shakib Khan, director of HostCram and A1NX is very outspoken about his business model of providing IP infrastructure to proxy providers. Mr. Khan confirmed that he is no longer in business with VPLAB and he could not share information about his other proxy costumers.

The 12th of October 2023, the prefix 166.0.205.0/24 that was involved in the attacks, was no longer announced by A1NX but had been transferred to ISTQSERVERS-AS/AS211826. Soon after, White Proxies service was reestablished in Mr Khan’s infrastructure using the prefix 23.150.72{.}0/24.

The IPv4 and IPv6 space suppliers

IPXO (UK): The leasing service provider of IPv4 space to A1NX

The 9th October 2023, we reached out to IPXO to report that one of their leased prefixes (166.0.205.0/24) had been used in Denial of Service attacks. To our surprise the network prefix involved in the abuse case was leased out to another customer days after our report. When asked what action they would take against those conducting denial of service, IPXO answered that they will inform their client so they can suspend the attacker.

Access2.IT (NL) : A leasing service provider of IPv6 space to White Proxies

Joeri F. and Marcel J. from Access2.IT were contacted several times to report that leased IPv6 prefixes allocated to A1NX were associated to infrastructure conducting denial of services and that Access2.IT created the database network objects with bogus geolocation.

Access2.IT claimed that, as they had received several reports of malicious activity from the leased subnets, they have suspended the client. The 23rd of October, Acess2.IT was informed that the server p.whiteproxies.com, used to provide access to White Proxies service has been hosted in their infrastructure for months. Access2.IT did not respond.

SecureBit (CH): A leasing service provider of IPv6 space to White Proxies

Kevin B. from SecureBit was contacted to inform that IPv6 allocations in the name of “White Solutions” were created by SecureBit. We did not received any concrete response to our concerns and our mails were blocked to report future abuse cases.

Cloudie (AU): A leasing service provider of IPv6 space to White Proxies

We mailed to the abuse address of Cloudie to ask for an explanation for this routing object where A1NX was mentioned as maintainer. No answer has been received (6 Nov 2023).

    route6:         2a0a:6040:5f00::/40
    origin:         AS60301
    mnt-by:         CLOUDIE-MNT
    mnt-by:         A1NX-MNT
    created:        2023-07-03T22:25:07Z
    last-modified:  2023-07-03T22:25:07Z
    source:         RIPE 

Heymman Servers (CA): A leasing service provider of IPv6 space to White Proxies

We exchanged several mails with Francis D.L. from Heymman Servers who stated that he just leased out IPv6 prefixes to A1NX and suggested that if blocking of malicious activity was needed that the case should be forwarded to his upstream provider Psychz networks.

Conclusion

The result of our investigation strongly suggests that “White Proxies/White Solutions”, a proxy provider hosted in A1NX infrastructure, was part of the denial of service attacks that targeted several Hungarian media and IPI in September 2023.

Actors benefiting from White Proxies service include:

• A1NX that operates both a IPv4 and IPv6 infrastructure leasing IP space to proxy providers and also engaging in faking their geo-locations so as to build a global proxy network that could be weaponized to conduct denial of service attacks.
• Providers of IPv6 space to A1NX such as SecureBit (CH), Access2.IT (NL), Cloudie (AU) and Heymman Servers (CA) that although been informed of such practices no actions have been taken against “White Proxies”.
• Providers of IPv4 space to A1NX as IPXO (UK) that although being informed of our investigation, leased out the prefix involved in the attacks to a new customer just a few days after our abuse report.

Despite our multiple attempts to obtain the legal name and contact details of the proxy service “White Proxies/White Solutions” from the different infrastructure providers involved in the case, each of them refused to disclose it.

Intermediaries in the proxy industry benefit financially from protecting their clients from abuse reporting. While these intermediaries let their clients operate their malicious activities, such as DDoS attacks, in their networks or by using their IP space, they are accomplices to the crime.

Trivia

The attacker wanted to leave a message to the victim, a way to sign his “masterpiece”. This was done by including a specific string in the requests that formed the DDoS attack. In that way, the attack was “signed” with the attacker’s “tags”.

The tags included the word “Hano” in combination with other words. One example is “HanoHatesU”.