Proxy providers weaponized to launch denial of service attack against Rappler


On 30th of October (10:51am UTC), the Philippine news site Rappler received more than 40 Million requests to the their home page during less than one hour. Rappler is the Philippines’ leading digital media company that is driven by uncompromising journalism, founded by 2021 Nobel Peace Prize laureate Maria Ressa in 2012.

The goal of this investigation was to determine which infrastructure had been used to conduct the attacks against Rappler. The investigation was made by processing 90GB of access log data shared by the victim. The traces lead us directly to two well known actors in the lucrative and shady proxy industry, FineProxy and RayoByte.

The report focuses on exposing unique details of FineProxy, a proxy infrastructure that has been involved in numerous DDoS attacks against Qurium-hosted organizations, and that has been a subject to our investigation for several years.

RayoByte and FineProxy provide proxy services for web scraping and automation and both of their infrastructure are currently part of a pay-as-you-go DDOS service.

Both actors show little interest to solve the issue that DDoS attacks are sourced from their proxy infrastructure. Instead, they have offered Qurium to block traffic from their service towards our hosted organizations – while others may be DDoSed at any time – as a way to discourage us to continue investigating them.

FineProxy has also offered Qurium the name of the client that conducts DDoS attacks from their infrastructure, with the condition on Qurium to take down all forensic reports involving their name.


Proxy infrastructure used to conduct attacks

The first flood started at 10.51 AM and lasted one minute. During the first minute of the attack 20.000 requests/second where sent to the website. After that first attempt, at least six more different attacks were launched within the following hour. At peak, the DDOS attack reached 250.000 requests/second when during just two minutes close to 26 million requests were sent to the website.

Left: Traffic peaks during the DDoS attack against Rappler.                                      Right: Attack traffic originated in the data center infrastructure of two proxy provide

In order to break down the analysis, we decided to classify each of the IP addresses that flooded the website based on their traffic speed and infrastructure location. Although the majority of the requests were coming from residential or mobile connections, we could identify 10% of the IP addresses originated from data centers.

Next, we selected the attack traffic at peak time (11:29-11:30) and sampled the data in one second periods. The analysis allowed us to see different distinctive autonomous systems involved in the DDOS attack and how the floods switched from AS397630 (BlazingSEO) to AS55286 (Server-Mania) after 30 seconds.

Attack traffic rotating between ASNs

The following table summarizes our findings:

Autonomous SystemNameOwnership/founderRoleProxy Provider
35624Silverstar Invest LimitedAlexei Filippenko,Ilya Trusov IgorevychPartner and IP ProviderFineproxy
35830BTT Group FinanceAlexei Filippenko,Ilya Trusov IgorevychPartner and IP ProviderFineproxy
51765Oy Crea Nova Hosting Solution LtdNiko Viskari, Ilya V KudryavtsevHosting ProviderFineproxy
26548PUREVOLTAGE-INCJake TerepockiHosting ProviderFineproxy
14576HOSTING-SOLUTIONS (EE)Kingservers – Infantica,Vladimir FomenkoHosting ProviderFineproxy
54252SP-NYJNeil EmeighProxy ProviderRayoByte
5508124SHELLSTushit ShahPartnerRayoByte
397630AS-BLAZINGSEONeil EmeighProxy ProviderRayoByte
55286SERVER-MANIAKevin BlanchardPartnerRayoByte

Proxy providers attempt to silence the whistleblower

Qurium’s investigation has identified two proxy providers that are likely part of a pay-as-you-go service designed to conduct denial of service attacks: Rayobyte Sprious LLC (US) and Fineproxy/Quality Network (RU, EE, US).

Both proxy providers have been approached several times by Qurium to inform them that a DDoS service operates within their infrastructure. Despite our reports, none of the providers have managed to stop the use of their proxy service to conduct denial of service attacks. As a way to “mitigate the problem” both Rayobyte and Fineproxy have asked Qurium to provide a list of our hosted organizations so they can ensure that they will not become victims of DDoS again in the future. Clever isn’t it?, if Qurium’s clients are no longer victims, there will be no more forensics reports revealing their malicious practices!

FineProxy even went one step further to silence Qurium. In an email exchange with Ilya Trusov CEO of FineProxy in late October 2023, we were offered to reveal the name of the customer that was responsible for the DDOS attacks. The condition to receive the customer’s information was to remove all articles about their proxy service from Qurium’s website.

Let’s take a closer look at FineProxy and RayoByte.

PROXY PROVIDER 1: FINEPROXY

FineProxy is a Russian proxy provider funded in Kaluga specialized in providing SEO services including click-fraud, web scraping and automation of creation and management of social media accounts (aka bots) etc. Some of the tools supported by their proxy service include XseoN, Xrumer, UBot, ScrapeBox, Gscraper, GSA SER, Socialhammer, ZennoPoster, etc.

FineProxy has been in operations since at least 2011 via the Russian company Region40. Qurium has since 2018 mitigated and documented dozens of denial of service attacks launched from FineProxy’s infrastructure.

The following section will take you for a deep dive into the the history of FineProxy and its allies. Keep an aye on the timeline below to follow the story.

The origins of Fineproxy

The origins of FineProxy can be traced back to 2009 to itservices{.}su, an online business specialized in SEO Hosting where Ilya Trusov Igorevych, (iluxa85) one of the founders of FineProxy, started his career. In those days, Ilya was selling proxies under the name “proxyelite.ru” with the help of Ivan Lukichev in searchengines.guru forums.

Website of IT Services. The site is using the .su TLD, designated for the Union of Soviet Socialist Republics (USSR).

The proxy business started in Kaluga (Russia) under the legal setup of Region40 LLC back in 2011. At that time, Fineproxy operated their proxy services from the data center Depo40 (Depo Data Center) using third party providers such as Atomhost (UA) or Petersburg Internet Network (RU).

According to registration information, Region40 LLC is run by:

  • Ilya Trusov (18-3-1995)
  • Dmitry Masyutin
  • Philip Petukhov
  • Vladimir Izvekov
  • Alexey Filippenko

Region40 LLC combined the skills of Alexei Filippenko that worked building physical infrastructure and fiber networks with the know-how of Trusov and Lukichev who had experience with SEO services and the use of proxy services.

Taking advantage of Ivan Lukichev moving to Thailand, FineProxy started to forward Paypal payments for their proxy services overseas.

From Russia to Europe

In 2016, Region40 LLC and Depo Data Center (Depo40) had been flagged as a bullet proof proxy provider by the threat intelligence community and their networks were in all spam databases.

To shake off the bad reputation that had become a burden to their proxy service (Fine Proxy), they re-branded their business to gain distance from the Russian Region40 LLC and their shady Depo40 Data Center.

Region40 continued their infrastructure building business in Kaluga region rebranded as “HiNet” (ООО ХАЙНЕТ) but the proxy service (FineProxy) was moved outside of Russia. Ilya Trusov set up Quality Network in Estonia and moved the proxy infrastructure that was running until then mainly in Russia and Ukraine inside Europe.

To scale up and expand the proxy service, two things were needed

  • more IP networks to scale up the proxy service
  • access to a data center to announce the prefixes

Obtaining IP space via IP harvesting

To obtain new IP networks, Ilya (iluxa85) started by registering several companies in Estonia and used them to obtain new fresh networks from RIPE.

Ilia Trusov’s company registrations in Estonia.

Meanwhile, Trusov’s business partner Alexei Filippenko registered dozens of companies in the United Kingdom, United States and South Africa to gain access to different regional registrars:

Traffic Transit Solution LLC registered in Wyoming by Ilia Trusov in 2020
CompanyCountryRegistrarOwner
Traffic Transit Solutions LLCUSARINAlexei Filippenko
Fine Group Servers Solutions LLCUSARINAlexei Filippenko
Security Servers LLCUSARINAlexei Filippenko
Fast ServersZAAFRINICAlexei Filippenko
Africa Fast CDNZAAFRINICAlexei Filippenko
Silverstar Invest LimitedUKAFRINICAlexei Filippenko
Blockchain Network Solutions LtdUKAFRINICAlexei Filippenko
FITZ ISP LtdUKAFRINICAlexei Filippenko
Traffic Transit Solution LLCUSARINIlia Trusov
Quality Network OÜEERIPEIlia Trusov
FineGroupFinance OÜEERIPEIlia Trusov
FineTransit OÜEERIPEIlia Trusov
IPTransitEE OÜEERIPEIlia Trusov
CloudHostRURIPEFast Telecom LLC
CloudVPSRURIPEFast Telecom LLC
FastVPSRURIPEFast Telecom LLC
FreeDataRURIPEFast Telecom LLC
IPLabRURIPEFast Telecom LLC
IPServiceRURIPEFast Telecom LLC
TrustHost LLC.RURIPEFast Telecom LLC

Not satisfied with the new networks and hungry for more IP space, Fineproxy decided to lease IP space from Fast Telecom LLC. Fast Telecom’s founders Aleksey Bulgakov (now Alex Largman after change of surname) and his partner Nikolaeva Ekaterina Sergeevna obtained new fresh networks by creating dozens of LLC entities in Russia. Once the networks (IP space) were obtained from RIPE, the companies were shut down and the IP space was transferred to the mother-ship: Fast Telecom LLC.

Moving hosting location out of Russia

With access to thousands of IP addresses, Fineproxy partnered in Estonia with Roman Jevstafjev and Jevgeni Fanfora that operated UGB Hosting (aka FairyHosting, Roman Hosting, Clickhost.ru) to run their networks. For that operation, Fineproxy started to trade their services using their recently registered Estonian company Quality Network OU (2015).


Faking the geo-location of their networks

During several years, Fineproxy operated the vast majority of their networks from Estonia but faced the challenge to offer a global proxy service when the bulk of their networks were all associated to one single country. Fineproxy solved the problem by faking the geo-location by associating different country locations to each of their networks and publishing them in the RIPE database. Providers of geolocation services such as Maxmind trusted those “geographical declarations” and Fineproxy sold proxies from dozens of countries while all the traffic was sourced from Narva, Estonia.

Moving out of Estonia

Soon after the Russian invasion of Ukraine in February 2022, FineProxy initiated one more strategical move. To protect their assets, Russian ownership of companies in Estonia were transferred to the former board member Borislav Mikijelj (Montenegro) and a new legal entity Fast Servers OU was established. Note how the old email and web address of Quality networks were kept in the new company registration!

Fast Servers (Registered in April 2022)

.

The operation from UGB Hosting in Narva, Estonia, was abruptly canceled in early February 2022 and networks were transferred to several friendly providers including: King Servers B.V. (aka Infatica) run by Russian Vladimir Fomenko, Oy Crea Nova Hosting Solutions run by Niko Viskari and Jake Terepocki’s Pure Voltage.

ASNCountryContact DomainContact Person
AS14576 RU/NLking-servers{.}comVladimir Fomenko
AS26548 USpurevoltage{.}comJake Terepocki
AS35830US/NLbttgroup{.}ukAlexei Filippenko
AS43444 US/NLblockchainnetworksolutions.co{.}uk Alexei Filippenko
AS51765 FI creanova{.}org Niko Viskari

Moving the networks before the war started

When we followed the path that the IP networks followed in early February 2022, we found out that the some of the networks were transferred to Moldovan registered AS43624 PQ HOSTING S.R.L (2) and Dutch registered MIRhosting BV (Andrey Nesterenko). Soon after many of these prefixes were transferred to US registered: AS26548 Pure Voltage.

PROXY PROVIDER 2: RAYOBYTE

Source: YouTube, Residential Proxies: Why And How Rayobyte Is Entering The Market

The second proxy provider involved in the attacks is the Nebraska-based Sprious LLC operating the brand Rayobyte proxy service. Sprious LLC is run by Neil Emeigh, who proudly claims to operate a so called “ethical proxy provider” with “high ethical standards”.

The attacks against Rappler.com originated from several data center proxies hosted in autonomous systems directly associated to Sprious: AS-BLAZINGSEO, SP-NYJ and AS-SPRIO.

To operate the proxy infrastructure Rayobyte has established partnerships with other hosting and proxy providers. One of those providers is “SEO friendly” B2 Net Solutions Inc (aka Servermania).

The story of Rayobyte is tightly connected to the background of its founder Neil Emeigh (born 1993). As a teenager, Neil gained experience in the “search engine optimization” scene participating in forums like “Warrior or Black Hat Forums” using the nicks of swords, swords12, googleboy507 and pointblank507.

In 2011, Neil could be found (video1, video2) advertising “scrapebox.com” a multi-purpose tool capable of spamming forums that he licensed in his mother’s name. The tool provided means to discover proxies from forums, run scheduled spam campaigns, flood sites with backlinks, etc.

The Scrapebox interface.

During this learning time Neil promoted tools like “GSA Search Engine Ranker”, a tool specialized to spam websites with backlinks to improve Google Rankings and became an affiliate of Solid Proxies, a proxy service and hosting provider specialized in the use of “GSA SER” and the offering of VPSs to SEOs (slrhosting{.}com).

To gain online presence as an expert, Neil (swords) started the companies BanditIM LLC and Roqet Marketing LLC to promote his expertise in SEO forums such as blackhat, warrior, gsa-online.

Some of the websites run by Neil included:

  • roqetmarketing{.}com
  • scraperbandit{.}com
  • typecaptchas{.}com
  • banditim{.}com
  • scraperbandit{.}org
  • netbacklinkscheduler{.}com
  • commentbandit{.}com
  • captchabandit{.}com
  • zonbandit{.}com

Between 2012-2015 Neil run BanditIM LLC while completing his B.A. studies in Computer Science at the University of Nebraska at Kearney.

Promotion of backlink service at BanditIM

After finishing University, Neil started BlazingSEO LLC his own proxy service and Scraping Robot, LLC, a data scraping software solutions for its costumers. In 2022, BlazingSEO was rebranded to Rayobyte under the new company Sprious LLC.

Niel (swords12) promoting his services in the BlackHat SEO Forum.

The promise of ethical proxies

What makes Rayobyte a special actor in the field of dodgy proxy providers, is its promise to be an “ethical proxy provider” and its ultimate commitment to the “highest ethical standards”.

Faking geo-location

In the recent investigation “Rayobyte infrastructure enabling DDoS attacks” published in September 2023, Qurium and Mybroadband exposed the use of fake geolocations in the networks advertised by Sprious LLC previously leased from IP leasing provider Cloud Innovation.

In an e-mail exchange in early October 2023, Sprious LLC, denied any wrong doing and accused Qurium of publishing incorrect information.

Evidence collected in August 2023 from Maxmind website suggested otherwise as we discovered dozens of fake geo-locations associated to networks advertised by Rayobyte.

Similar to Fineproxy, Rayobyte has reported bogus geo-locations of their networks to make their proxy service more attractive. Some of this bogus geolocations were reported in the name of Emeigh Investments LLC, EGI Hosting and Africa-on-Cloud.

Bogus geo-locations of Rayobyte’s network in MaxMind’s database.

More evidence can be found in a series of posts (2) in Blackhat Forums, where Neil using his alias swords12, stating:

We are able to get proxies from ANY country now, it just takes 1-5 weeks for geo-location databases (such as Maxmind) to update their databases to reflect these geo-location changes to the IPs.

Swords12 telling he can obtain proxies from any location
Explains that they can offer proxies from ANY country as soon as Maxmind “updates” the location.

Another highlight of “high ethical standards” can be found in “gsa-online” forum (2) (3) where Neil explains that he provides thousands of mail accounts from Yahoo with a subscription of 15 USD.

BlazingSEO selling Yahoo Accounts as extra-bonus with proxy service

The use of Sprious as a proxy provider to conduct web spam campaigns can be seen monitoring one of the autonomous systems associated with Sprious: AS397630

More information about RayoByte can be found in Qurium’s investigation Rayobyte infrastructure enabling DDoS attacks from September 2023.

Conclusions

The result of our investigation shows how two different proxy providers form part of an infrastructure of a Denial of Service “pay-as-you-go” service.

Both proxy providers have tampered with geolocation objects to associate their data center networks to parts of the world where they have no physical presence to satisfy the requirements of their clients.

When Qurium has reported malicious behavior coming from their networks, both FineProxy and RayoByte have taken similar approaches, such as blacklisting the domain of the victim and refusing to help identifying the customer behind the DDoS service.

Proxy providers such as RayoByte and FineProxy have designed their infrastructures with almost unlimited number of connections or threads to provide their customers with the ability of automating tasks such as scraping or flooding sites with backlinks at very high speeds. When the priority is to serve customers with abusing SEO practices, it is not a surprise that their infrastructures are also used to conduct Denial of Service attacks.

Sheltering and protecting users that conduct malicious activities is a way to gain trust from current and future clients that engage in unethical online businesses.

Rappler is the latest victim of FineProxy and RayoByte’s lack of business ethics and unfortunately it will not be the last.