Attackers Buying Own Data Centers for Botnets, Spam

The malware writers and criminals who run botnets for years have been using shared hosting platforms and so-called bulletproof hosting providers as bases of operations for their online crimes. But, as law enforcement agencies and security experts have moved to take these providers offline, the criminals have taken the next step and begun setting up their own virtual data centers.

The malware writers and criminals who run botnets for years have been using shared hosting platforms and so-called bulletproof hosting providers as bases of operations for their online crimes. But, as law enforcement agencies and security experts have moved to take these providers offline, the criminals have taken the next step and begun setting up their own virtual data centers.

IP address space allocation is handled by five regional Internet registries (RIR), each of which is responsible for a particular group of countries. The RIRs work with large enterprises, ISPs, telecoms and other organizations that need large blocks of IP space. These organizations typically have to go through an application and screening process in order to get these allocations, including providing legal documentation listing the officers of the company, its business and why the address space is needed.

And that’s the way it’s supposed to work everywhere. Applicants who can’t show a need for the IP space are told politely to take a walk. But in some cases, criminals have found a way around this by going through local Internet registries (LIR) or by taking advantage of RIRs that don’t have the resources to investigate every application as fully as they’d like.

The criminals will buy servers and place them in a large data center and then submit an application for a large block of IP space. In some cases, the applicants are asked for nothing more than a letter explaining why they need the IP space, security researchers say. No further investigation is done, and once the criminals have the IP space, they’ve taken a layer of potential problems out of the equation.

“It’s gotten completely out of hand. The bad guys are going to some local registries in Europe and getting massive amounts of IP space and then they just go to a hosting provider and set up their own data centers,” said Alex Lanstein, senior security researcher at FireEye, an antimalware and anti-botnet vendor. “It takes one more level out of it: You own your own IP space and you’re your own ISP at that point.

“If there’s a problem, who are you going to talk to? It’s a different ball game now. These guys are buying their own data centers. These LIRs and RIRs aren’t going to push back if you say you need a /24 or /16. They’re not the Internet police,” Lanstein said.

The most famous example of this is the Russian Business Network case, in which a group of criminals was able to get a large amount of IP space by using an LIR to get an allocation from RIPE, the European RIR. The LIR gave RIPE documentation that supposedly showed a need for the allocation, and that’s as far as it went.

“It is impossible at that stage in the process for the RIPE NCC to determine that a company is involved in illegal activity. The member in question later proved to be a front for RBN,” RIPE said in a statement on the case. But the allocation was made in 2006 and it wasn’t until May 2008 that RIPE was able to close down the LIR and get the IP space back.

In most regions, a new organization requesting a large allocation will have to go through a fairly rigorous process to show the need for the address space. The RIR staff often will request a listing of each machine the organization has and may go as far as to request purchase receipts for the machines, as well, said John Curran, president and CEO of the American Registry for Internet Numbers (ARIN), which is responsible for the U.S., Canada and parts of the Caribbean.

“When you submit an application to us, once it’s been accepted you’ll get a call from our group asking to show us a list of PCs, your router configurations, maybe a network map so that wecan show the need for the IP space,” Curran said. “If you already have the PCs, what ASN numbers do they have? At this point, a lot of applicants disappear.”

Criminals subverting this process has become a major problem in some regions, particularly parts of Europe and the Caribbean, where there are dozens of jurisdictions and multiple languages, which can lead to confusion and difficulty in tracking down exactly who is doing what online, security experts say.  

“There are a lot of instances where they don’t go past the letter of justification,” Lanstein said. “There are plenty of IP allocations I can pull up and look at the domains and see that they’re total BS. U.S. data centers are much better, but in Europe there are so many languages and countries, it’s impossible for them to check everyone. And the bad guys know this.”

This set-up has become a useful tactic for the criminals running botnets and large spam and carding operations. Attackers who own their own large blocks of IP space have a much easier time hiding their activities than do criminals who have to go through legitimate ISPs or hosting providers. There’s no abuse desk to complain to, no recourse for people who find themselves being attacked by a given range of IP addresses.

“The policies for handing out IP space and verifying the people behind and application are global, they apply to all of the RIRs. But within that framework, there’s room for RIRs to set their own local policies too,” said Curran. “The bad news is, those policies are very local. How does someone verify an organization when in some regions they may only have written records and it’s a town of  2,000 people? It’s very difficult in Africa, parts of Europe, parts of the Caribbean. It’s very much the case that parts of our process are very hard to implement in other regions. Other regions have different ways of recording how a company is formed and they recognize very informal structures. The record-keeping is decentralized and it might take a while to determine who is behind a company.”

And once the IP space has been allocated, getting it back can be a long and arduous process. Criminals often will use a certain IP block for as long as it’s useful and profitable for them. But if security researchers and ISPs notice suspicious activity in a certain block, they will sometimes stop accepting traffic from it and block any traffic from their own networks to that block. This can be an effective tactic, but once the criminals abandon the IP space, it can take a long time for a legitimate business to be able to get traffic flowing there again.

“This is part of the problem that’s causing the IPv4 shortage,” Lanstein said, referring to the imminent exhaustion of the IPv4 address space, forecasted to occur in less than two years. “They stop paying the bills, the space gets null-routed and then it’s a mess. There’s clear fraud going on, but who can do something about it?”

Suggested articles


  • Anonymous on

    The captcha was which harrate

  • Anonymous on

    CIDR ranges?

  • GeeSparks on

    This will give us a lot of spams in our emails.

    Michael from


  • Anonymous on

    that's right

  • Anonymous on

    This is nothing new. Us in information security have been fighting crap like this voer a decade now. It's a world war and we are losing it badly.  If we want to win, we almost have to change sides.

    That said; anything goes against them also.  They play their games....We play ours.


  • Anonymous on

    we simply need 1 and only 1 place you can buy ip/domains from ...

    All those registrars .. all those people with the power to change the internet...

    Chaos is inevitable

  • seiruga on

    Known IP ranges dedicated to spam? Isn't that the easiest way to stop spam with just one firewall rule?

  • Anonymous on

    That's exactly what I was thinking.  Block the entire range of IP addresses.

  • Anonymous on

    What we need to do is go middle-east on these guys when they get caught.  Start chopping off hands of people found guilty of this world-wide terrorism and you'll probably see a pretty dramtic decrease of people willing to take the chance.

  • Anonymous on

    Blocking these IP ranges won't help much. They are just for the servers controlling the bot nets, not for the infected PCs which are controlled from there. You will never see an email coming directly from one of these servers.

  • davidbaer on

    <!-- /* Font Definitions */ @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4; mso-font-charset:0; mso-generic-font-family:roman; mso-font-pitch:variable; mso-font-signature:-1610611985 1107304683 0 0 159 0;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4; mso-font-charset:0; mso-generic-font-family:swiss; mso-font-pitch:variable; mso-font-signature:-1610611985 1073750139 0 0 159 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-unhide:no; mso-style-qformat:yes; mso-style-parent:""; margin:0in; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman","serif"; mso-fareast-font-family:"Times New Roman";} p {mso-style-unhide:no; mso-margin-top-alt:auto; margin-right:0in; mso-margin-bottom-alt:auto; margin-left:0in; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman","serif"; mso-fareast-font-family:"Times New Roman";} .MsoChpDefault {mso-style-type:export-only; mso-default-props:yes; font-size:10.0pt; mso-ansi-font-size:10.0pt; mso-bidi-font-size:10.0pt;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.Section1 {page:Section1;} -->

    What I like about small business owners is that they are not afraid to take huge risks and lay it all on the line. But, I agree they do need a lot of help with their marketing. I think having them go the social media and email route is not only the least expensive but its also the most effective. Thanks for the stats!

    With Facebook and Twitter being among the leaders of the Social networks, marketing as a small business is being transformed..

    Respondents according to the Vertical Response survey appear to need some differentiation with the use of SE marketing and Social media Marketing



  • kiramatalishah on

    The Center for Media Research has released a study by Vertical Response that shows just where many of these ‘Main Street’ players are going with their online dollars. The big winners: e-mail and social media. With only 3.8% of small business folks NOT planning on using e-mail marketing and with social media carrying the perception of being free (which they so rudely discover it is far from free) this should make some in the banner and search crowd a little wary.
  • Anonymous on

    its funny spam in your email is the least of the problems.


  • lawyer marketing on

    I love this..i am very week at css and always forget things and google for everything. but this pdf would help me a lot. thanks for sharing.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.