7 September 2023
– Denial of service against Somali Journalists Syndicate launched from Sprious Group’s proxy infrastructure
This forensic report is yet another example on how the self-proclaimed “ethical proxy services” are used to launch large and complex DDoS attacks to silence media outlets. With large pools of valid IP addresses from all over the world, residential and data center proxies have become the de-facto standard for today’s DDoS attack infrastructure.
Somali Journalists Syndicate (SJS) is an independent journalists’ trade union that speaks for the journalists’ human rights. SJS was established in 2019 by Somali journalists to defend the rights of the working journalists and promote press freedom.
On August 11th, the website of the Somali Journalists Syndicate was targeted by a denial of service attack. The attack resulted in the suspension of the hosting service agreement with HostGator (Endurance International Group) and then later with A2 Hosting. In both cases, the large volume of malicious traffic affected the services of other hosted customers and the hosting providers therefore brought the website down to minimize the collateral damage.
On Thursday the 17th, the Committee to Protect Journalists introduced SJS to Qurium, and the website was quickly migrated to Qurium’s secure hosting infrastructure. A couple of hours after the migration was completed, the Denial of Service attacks started again.
Qurium’s forensic report reveals how the infrastructure of the US based proxy provider Rayobyte is being used in denial-of-service attacks against independent media and how little is being done by the company to prevent or mitigate the attacks. Furthermore, the report discloses Rayobyte’s infrastructure partners and providers of IP space, and the use of fake geo-location data to fool Maxmind and other geolocation service providers to believe that Rayobyte’s infrastructure is globally distributed although evidence suggests that it is mainly US based.
No less than six of Qurium’s hosted clients have been targeted by denial-of-service attacks sourced from Rayobyte’s infrastructure. These organizations are Nacionale (Kosovo), Kloop (Kyrgyzstan), Peoples Gazette (Nigeria), Bulatlat (Philippines), Somali Journalist Syndicate (Somalia) and Turkmen News (Turkmenistan).
Application layer flood
After migrating to our infrastructure, the attack immediately resumed and continued for 24h only with a short break of just 2h during the night of the 19th of August. The graph illustrates each new attack wave as they reach our mitigation infrastructure.
The attacks were composed of thousands of requests per second that were forwarded to the website via a proxy service. To generate the bad traffic the attacker has been using at least two traffic generators hosted in Worldstream (NL) at 185.185.49{.}236 and 175.110.114{.}93 feeding a proxy service.
Instead of launching the attack from the traffic generators, the attacker has been using the proxy service Rayobyte (former Blazing SEO) to gain access to a large number of IP addresses. Rayobyte is a US-based proxy provider belonging to the Sprious Group, which offers web scraping, data intelligence, and hosting services.
Using the residential proxy service of Rayobyte, thousands of fresh new IP addresses were leased to conduct the attack. Every new attack burst was composed by several thousands of unique IP addresses where each address was just sending just a few requests/second. By keeping the requests per second per individual IP address low, the attacker aimed to bypass any mitigation that rates traffic per IP address. Since the attacker can lease thousands of addresses during short periods of time, traditional firewalls struggle to build filters that continuously grow in size as large amount of new addresses are continuously added to the flooding pool.
Fingerprinting the proxy: Rayobyte/Sprious
During the attack Qurium recorded million of the requests arriving to the victim. A large number of these requests were coming from IP addresses of specific AS (autonomous systems):
- AS-BLAZINGSEO
- SP-NYJ
- AS-SPRIO
- AS-COLOCROSSING
- SERVER-MANIA
- 24SHELLS
- SS-ASH
- IPXO
- M247
The traffic signatures, upstream providers and proxy headers strongly indicated that Rayobyte is collaborating with several partners under these autonomous systems to provide their proxy service.
AS-BLAZINGSEO
To just see how many prefixes are involved in the attack, let us take a look at Blazing SEO traffic, the former name of Rayobyte. The graph below shows the number of networks from AS-BLAZINGSEO alone, sourcing the malicious traffic. As we will discuss later on in this report, many of the networks start by 154.202.x.x, addresses seized from AfricaNic via a highly questionable IP broker.
Mitigating the attack
A total of 20,000 IP addresses were blocked during the 24h period. A peak of 3,150 IP/hour was recorded at 18pm -19pm the 18th of August 2023. This translates to an average of adding 1 new unique IP address flooding the website every second.
ip-blocked time 2 2023-08-18 11 3302 2023-08-18 14 526 2023-08-18 15 1389 2023-08-18 16 1519 2023-08-18 17 3156 2023-08-18 18 2122 2023-08-18 19 486 2023-08-18 20 342 2023-08-18 21 2019 2023-08-18 22 1817 2023-08-18 23 1013 2023-08-19 00 541 2023-08-19 01 92 2023-08-19 02 709 2023-08-19 05 32 2023-08-19 06 11 2023-08-19 07
For example, just three IPs alone from AS-BLAZINGSEO account for 60 requests/second at 00:00:00 the UTC 19th of August.
A wide network of proxy partners
During the 24h attack, Qurium blocked no less than 19,518 IP addresses that were flooding the sjsyndicate.org website. In order to determine the infrastructure used by the attackers, we aggregated the individual addresses into network blocks.
We extracted the most active network blocks that accounted for almost 50% of the total bad traffic. The majority of these 320 networks are used entirely to conduct the attacks.
We then analyzed the network allocations by looking into registration data, upstream providers, data center information and hosted services.
The summary of our findings are:
1. The main players
The major entities involved in the attack include:
- Rayobyte: owned by Sprious LLC with ASNs: AS-BLAZINGSEO, SP-NYJ, AS-SPRIO
and a set of partners that host their infrastructure, including:
- Colocrossing: Rayobyte hosting at Colocrossing with ASN: AS36352
- Servermania: B2 Net Solutions Inc. and 24Shells, Inc announcing via Cogent with AS55286
- EGIHosting : Energy Group Networks (EGI) serving infrastructure for Rayobyte/Sprious LLC.
- IPXO: Heficed routing dozens of IP blocks registered in the name of small entities and leased out to smaller business as Rackdog LLC. Many of these prefixes are routed via AS19437.
- phoenixNAP: SS-ASH Secure Servers LLC.
- Emeighinvestments
- M247: Including prefixes allocated to M247 Ltd, Kazakhstan
- Ethernet Servers Ltd
2. Rayobyte’s infrastructure partners
Thanks to a “feature” in the configuration of their squid proxy servers, the names of some of the Rayobyte partners are publicly exposed, reconfirming that the attack is in fact originated from Rayobyte Proxy service that routes traffic via several physical infrastructures, such as: asdeuk, colocrossing, crocker, heficed, m247, oneprovider, proxyserver, pubconcierge, rackdog and servermania
3. IP space providers
A total of 71 prefixes that are allocated to Sprious LLC have been sourced from the infamous Hong-Kong based Larus Service from Cloud Innovation [1] [2] notoriously known to seize large pools of IP space from Africa.
Many of the prefixes do not contain any abuse contact details, or the abuse contact details refer directly to Heficed-IPXO that acts as IP broker and upstream provider for several parts of the network of Sprious LLC.
Yet another abuse from Sprious via Rayobyte
This is not the first time that Qurium has fingerprinted and recorded attacks coming from residential proxy services as the one offered by Sprious LLC. In March 2023, Qurium was in contact with Neil Emeigh (CEO) and Kade Baker (Security Operations Manager) at Sprious flagging that their infrastructure was being used to conduct denial of service attacks against the Kosovoan news site Nacionale.com.
The response from Sprious then can be summarized as follows:
- We are sorry, we apologize
- We are working very hard to improve our security and this is a rare case
- We are going to block the victim of the attacks from our system
- We are implementing some advance technology so we can detect the launching of DDoS
- We can not help you attributing the attacks as privacy of the crooks that buy our services is very important
That translates to: we got caught, we stop attacking you for now, and we continue our business.
However, a few months later we can see the very same pattern being used to conduct yet another denial of service attacks against another target.
——– Forwarded Message ——–
Subject: RE: Denial of service from RayoByte
Date: Fri, 24 Mar 2023 08:21:01 -0500
From: Kade Baker <kade.baker@sprious.com>
Dear Mr. Henrichsen,
Thank you for bringing this matter to our attention. We understand the seriousness of the situation, and as the Security Operations Manager of our company, I want to personally apologize for any inconvenience caused to you and your organization.
I assure you that we take security very seriously and are committed to improving our security posture. As you can see in our policies here <https://rayobyte.com/products/rotating-residential-ips/ethics/>, and in third-party reviews like this one <https://nyweekly.com/tech/how-rayobyte-is-bringing-consumer-data-awareness-to-the-forefront/>, we have one of the most rigorous vetting policies in the IP address space. This is a rare case where someone got through – but I recognize that that’s no excuse, and deeply apologize for the adverse effects we created for you.
Regarding the specific issue you reported, we have already blacklisted the involved domain (nacionale.com <http://nacionale.com>). We have taken the appropriate actions with the user in question, in line with our company policies and procedures for those that violate our TOS. They are no longer allowed to use our service and we have brand protection modules in place that will prevent them from future account generation.
More broadly, we are shifting from a reactive abuse report handling model to a proactive approach that includes real-time log analysis and incident management. We utilize an Elasticsearch-based log parsing tool that actively monitors our network traffic, with alerting thresholds in place to detect DDoS-level attacks. We are working on tweaking these alert thresholds to ensure that future events like what you have experienced are no longer possible from our IP space.
Unfortunately, due to privacy controls and regulations in the United States, we are not able to share any personal information of the involved user without due legal process. We understand your desire for further information and accountability; however, we must adhere to these privacy regulations.
We appreciate your understanding and your vigilance in reporting these issues. Our team will continue working to enhance our security measures and to prevent any future attacks of this nature. If you have any questions or concerns, please do not hesitate to contact us.
Sincerely,Kade Baker
Security Operations Manager
Security | Sprious
Ethical Proxy Services, really?
Attacks against media organizations using residential proxy providers have become alarmingly common. Over the past year, Qurium has observed attacks tied to several proxy providers promoting so called ‘ethical proxy services’.
The marketing pitch of ethical sourced proxy services can be easily challenged by searching how the service is advertising in black hat forums. In the BlackHat SEO forum, Rayobyte’s proxy services is offered to resellers as “rotating residential proxy” with no rate control. The “commitment to high ethical standards” translates to an infrastructure that is leased to cyber criminals to conduct all sort of attacks including denial of service.
Rayobyte is partnering with multiple hosting providers to extend their proxy network. In this post, ServerMania is proudly announcing their partnership with once again… High ethical standards in the server and IP industry.
Tracing back Rayobyte proxy addresses
When analyzing hundreds of IP addresses that flooded the news site, we found a three signatures that could identify how malicious traffic was sourced by Rayobyte and partners (such as asdetuk (Digital Energy Technologies – Heficed – Hivelocity), colocrossing, crocker, heficed, m247, oneprovider, proxyserver, pubconcierge, rackdog and servermania) .
The signatures were the following:
- The traffic is originated from a “squid” proxy
- The proxy service is available in ports TCP/4444 and TCP/8000
- The proxy returns the error code “MISS from sprious”
Using Censys and Shodan, we could obtain the number of proxies with those signatures. The top 10 providers with that signature are:
Attack prefixes
The following file contains a list of 262 prefixes used in the attack and their ASN and associated entities.
63 AS397630
48 AS36352
38 AS55286
32 AS19437
24 AS64267
24 AS54252
23 AS55081
2 AS174
1 AS9009
63 Blazing SEO
48 Sprious LLC
48 ColoCrossing
38 B2 Net Solutions Inc.
32 SECURED SERVERS LLC
23 24 SHELLS
2 Cogent Communications
1 M247
Fake location data with Cloud Innovation
71 prefixes operated by Sprious have been leased from Larus (Cloud Innovation), the prefixes come from AfriNIC.
45.199.130{.}0/24
45.199.132{.}0/24
45.199.137{.}0/24
45.199.139{.}0/24
45.199.140{.}0/23
154.83.8{.}0/22
154.83.40{.}0/24
154.83.43{.}0/24
154.84.136{.}0/23
154.84.140{.}0/23
154.201.33{.}0/24
154.201.34{.}0/24
154.201.36{.}0/23
154.201.38{.}0/24
154.201.40{.}0/21
154.201.56{.}0/23
154.201.59{.}0/24
154.201.60{.}0/24
154.201.63{.}0/24
154.202.96{.}0/24
154.202.98{.}0/23
154.202.100{.}0/22
154.202.104{.}0/22
154.202.109{.}0/24
154.202.110{.}0/23
154.202.112{.}0/21
154.202.120{.}0/24
154.202.122{.}0/23
154.202.124{.}0/22
156.227.14{.}0/24
156.239.36{.}0/22
156.239.52{.}0/23
156.239.62{.}0/24
All the addresses have Cloud Innovation as abuse contact, although the addresses are allocated to one single customer Sprious LLC.
While the networks are wrongly geolocated by Maxmind in eight different countries while routing information strongly suggest they are advertised from USA datacenters (likely in Chicago and LA) using AS9009 (M247), AS19024 and AS10912 (Unitas Global)
Peering in LA: INAP-LAX-SPRIOUS-63-251-209-52
Thousands of prefixes with bogus location data
To our surprise not only the 71 prefixes from Sprious LLC that flooded our website have bogus geo location data in Maxmind but the hundreds of the prefixes announced by Sprious ASNs: ASN AS397630, AS54252, AS64267 have wrong location data.
This can be seen easily using https://stat.ripe.net/ui2013/as397630 that visualizes the location information from maxmind for AS397630
This means in practice that while all prefixes are announced from a few locations in the USA, they appear to be located in dozens of different countries. Looking into maxmind data, we found indications that Emeigh Investments LLC as organization and Africa-on-Cloud and Multacom as ISPs made “manual” updates of the records in maxmind.
The final result of the analysis shows that 28 countries are advertised and 482 prefixes have the wrong location data
292 United States
82 Germany
73 France
63 Brazil
62 United Kingdom
38 Spain
25 Italy
21 Japan
17
14 Thailand
8 Poland
8 Canada
6 Mexico
5 India
4 Netherlands
3 Vietnam
3 South Africa
3 Singapore
3 Belgium
3 Australia
2 Philippines
2 Pakistan
2 Indonesia
1 Taiwan
1 South Korea
1 Hong Kong
1 Colombia
1 Argentina
According to Maxmind policies, “VPN or anonymizing proxy services” are not allowed to make corrections to their database. A large part of the prefixes announced by Sprious and their partners (see AS64267 as an example) operate proxy services.
