Going Black –
Russian “bulletproof” host advertised stolen IP address to take site live.
The successor to 8chan, 8kun,made a somewhat brief appearance on the public Internetthanks to what amounts to an attack on the Internet’s routing infrastructure. The site’s domain name server, hosted by a servicecalled VanwaNet, offered up an Internet address for the site that was from an unallocated set of addresses belonging tothe RIPE Network Coordinating Center, the regional Internet registry authority for Europe and the Middle East. And the host for the new site, the Russian hosting company Media Land LLC, advertised a route to that address to the rest of the Internet, allowing visitors to reach the site for a while.
The advertisement of the address, made with the Border Gateway Protocol (BGP), is what is referred to in the routing world as a “bogon” or “martian.” Usually these happen when private network addresses mistakenly are sent out, or “advertised,” from a network to the rest of the Internet because of a router misconfiguration.
But sometimes, they hijack existing addresses either accidentally or maliciously. ABGP “leak” in November 2018caused Google and Spotify service outages. In 2015, for example,Hacking Team used a BGP bogon advertisementto help Italian police regain control of infrastructure used to monitor hacked targets. And a Russian network provider made BGP advertisements thathijacked traffic to financial services sitesin 2017.
While 8kun.net was registered in September through Tucows, the actual process was handled by a company called N.T. Technology Inc., a hosting company and registration services provider that appears to have gone dark in August, around the same time 8Chan went offline. The domain for N.T. Technology was registered by Jim Watkins — the “owner” of 8chan. And several hosts associated with 8chan, on the 8ch.net domain, were hosted by N.T. Technology.
None of N.T. Technology’s servers appears to be reachable. TheTwitter account associated with the company(which gives the location as Carson City, Nevada) has been inactive since 2014. The address given for the company on its now-dead website was a Digital Real Estate data center in San Francisco, and its corporate office address was that of a corporation registration and virtual home office company in Reno, Nevada. The phone number associated with the Reno address in domain registration data was disconnected; a second number (a Comcast VoIP number) went unanswered. But the company’s network is still active, based ondata from Hurricane Electric’s BGP tools.
Trying to go “Bulletproof”
After 8chan lost its hosting in August in the wake of the El Paso mass shooting, much of 8chan’s content — especially the “pol “channel — hadshifted to the social media platform Telegram(known for its anti-censorship policies, which have made it a haven for all flavors of extremism). Telegrampol, for instance, was set up in July. But the fragmented nature of the Telegram channels (and the Telegram architecture) likely kept away many 8chan users; Telegrampol has a total of 633 subscribers.
8kun was an effort to restore a central location for all of 8chan’s communities, but it faced the same challenges in hosting that brought down 8chan in the first place — its radioactivity to hosting providers and domain registrars. This is what apparently drove Watkins and company to a rather unusual hosting option: a Russian company known mostly for hosting crimeware.
Media Land is operated by Alexander Volosovyk, known as “Yahlishanda” on criminal underground Internet marketplaces. According toa report by Brian Krebs, Volosovyk is the world’s biggest “bulletproof” hosting operator. He has, according to Krebs, avoided takedowns and prosecution by operating carefully within the lines of the law in Russia and other former Soviet states.
Servers hosted by Media Land infrastructure have been tied to the Dridex and Zeus banking trojans in the past, as well as to the command and control networks for other sophisticated malware. Media Land-hosted virtual private servers using legitimately-assigned IP addresses have beenrepeatedly reported for malicious traffic, including hundreds of brute-force Remote Desktop Protocol login attacks.
Media Land used the fake BGP advertisements for more than just 8kun. According to historical DNS records from SecurityTrails, Media Land had been maintaining an advertisement for a block of addresses starting at 185. 254. 121. 200 for over a month, with the records for 8kun.net addresses popping up about two days ago. The hosts tied to the address block hosted a variety of short-lived malware, phishing, and online pharmacy scam sites, among others, with some dating back to September — all of them hosted by Media Land.
Using this sort of fishy routing advertisement is not an uncommon tactic when trying to prevent potential attackers from gathering intelligence on a site’s or networks ‘infrastructure. It means that Whois requests and other network tools return no useful information to casual inquiries. That makes targeting the hosting provider somewhat more difficult. Other blocks of unassigned addresses have been used by Media Land repeatedly over the past three years.
The Media Land hosting may have been a temporary move by the operators of 8chan / 8kun. The site remains live on Tor as a “hidden service.” And the site’s domain name service provider VanwaNet hasadvertised itself in the past as a Cloudflare alternative– giving customers the capability (at some point in the future) to create their own content-delivery networks to fight DDoS attacks.
Ron Watkins, the administrator for 8kun,said in a Twitter postthat VanwaTech “has built a fantastic new deepnet CDN that can deliver Tor hidden services at nearly clearnet speed. ” In addition, the 8kun team has apparently been looking at another Tor-like service calledLokinet, an onion-routing based anonymizing network that is still in development.
Those services may be crucial for the continued operation of the site, considering that the open Internet version of the site was under attack from almost the instant it went live. “We have been under sustained attacks the past few days and doing everything we can to get things stable again,” Ron Watkins reported on Twitter earlier today. “The site is still online — albeit limping along — as we reorganize and restructure to deflect attacks coming from many angles.”