19
Aug 19

The Rise of “Bulletproof” Residential Networks

Cybercrooks increasingly are anonymizing their malicious traffic by routing it through residential broadband and wireless data connections. Traditionally, those connections have been mainly hacked computers, mobile phones, or home routers. But this story is about so-called “bulletproof residential VPN services” that appear to be built by purchasing or otherwise acquiring discrete chunks of Internet addresses from some of the world’s largest ISPs and mobile data providers.

In late April 2019, KrebsOnSecurity received a tip from an online retailer who’d seen an unusual number of suspicious transactions originating from a series of Internet addresses assigned to a relatively new Internet provider based in Maryland called Residential Networking Solutions LLC.

Now, this in itself isn’t unusual; virtually every provider has the occasional customers who abuse their access for fraudulent purposes. But upon closer inspection, several factors caused me to look more carefully at this company, also known as “Resnet.”

An examination of the IP address ranges assigned to Resnet shows that it maintains an impressive stable of IP blocks — totaling almost 70,000 IPv4 addresses — many of which had until quite recently been assigned to someone else.

Most interestingly, about ten percent of those IPs — more than 7,000 of them — had until late 2018 been under the control of AT&T Mobility. Additionally, the WHOIS registration records for each of these mobile data blocks suggest Resnet has been somehow reselling data services for major mobile and broadband providers, including AT&T, Verizon, and Comcast Cable.

The WHOIS records for one of several networks associated with Residential Networking Solutions LLC.

Drilling down into the tracts of IPs assigned to Resnet’s core network indicates those 7,000+ mobile IP addresses under Resnet’s control were given the label  “Service Provider Corporation” — mostly those beginning with IPs in the range 198.228.x.x.

An Internet search reveals this IP range is administered by the Wireless Data Service Provider Corporation (WDSPC), a non-profit formed in the 1990s to manage IP address ranges that could be handed out to various licensed mobile carriers in the United States.

Back when the WDSPC was first created, there were quite a few mobile wireless data companies. But today the vast majority of the IP space managed by the WDSPC is leased by AT&T Mobility and Verizon Wireless — which have gradually acquired most of their competing providers over the years.

A call to the WDSPC revealed the nonprofit hadn’t leased any new wireless data IP space in more than 10 years. That is, until the organization received a communication at the beginning of this year that it believed was from AT&T, which recommended Resnet as a customer who could occupy some of the company’s mobile data IP address blocks.

“I’m afraid we got duped,” said the person answering the phone at the WDSPC, while declining to elaborate on the precise nature of the alleged duping or the medium that was used to convey the recommendation.

AT&T declined to discuss its exact relationship with Resnet  — or if indeed it ever had one to begin with. It responded to multiple questions about Resnet with a short statement that said, “We have taken steps to terminate this company’s services and have referred the matter to law enforcement.”

Why exactly AT&T would forward the matter to law enforcement remains unclear. But it’s not unheard of for hosting providers to forge certain documents in their quest for additional IP space, and anyone caught doing so via email, phone or fax could be charged with wire fraud, which is a federal offense that carries punishments of up to $500,000 in fines and as much as 20 years in prison.

WHAT IS RESNET?

The WHOIS registration records for Resnet’s main Web site, resnetworking[.]com, are hidden behind domain privacy protection. However, a cursory Internet search on that domain turned up plenty of references to it on Hackforums[.]net, a sprawling community that hosts a seemingly never-ending supply of up-and-coming hackers seeking affordable and anonymous ways to monetize various online moneymaking schemes.

One user in particular — a Hackforums member who goes by the nickname “Profitvolt” — has spent several years advertising resnetworking[.]com and a number of related sites and services, including “unlimited” AT&T 4G/LTE data services, and the immediate availability of more than 1 million residential IPs that he suggested were “perfect for botting, shoe buying.”

The Hackforums user “Profitvolt” advertising residential proxies.

Profitvolt advertises his mobile and residential data services as ideal for anyone who wishes to run “various bots,” or “advertising campaigns.” Those services are meant to provide anonymity when customers are doing things such as automating ad clicks on platforms like Google Adsense and Facebook; generating new PayPal accounts; sneaker bot activity; credential stuffing attacks; and different types of social media spam.

For readers unfamiliar with this term, “shoe botting” or “sneaker bots” refers to the use of automated bot programs and services that aid in the rapid acquisition of limited-release, highly sought-after designer shoes that can then be resold at a profit on secondary markets. All too often, it seems, the people who profit the most in this scheme are using multiple sets of compromised credentials from consumer accounts at online retailers, and/or stolen payment card data.

To say shoe botting has become a thorn in the side of online retailers and regular consumers alike would be a major understatement: A recent State of The Internet Security Report (PDF) from Akamai (an advertiser on this site) noted that such automated bot activity now accounts for almost half of the Internet bandwidth directed at online retailers. The prevalance of shoe botting also might help explain Footlocker‘s recent $100 million investment in goat.com, the largest secondary shoe resale market on the Web.

In other discussion threads, Profitvolt advertises he can rent out an “unlimited number” of so-called “residential proxies,” a term that describes home or mobile Internet connections that can be used to anonymously relay Internet traffic for a variety of dodgy deals.

From a ne’er-do-well’s perspective, the beauty of routing one’s traffic through residential IPs is that few online businesses will bother to block malicious or suspicious activity emanating from them.

That’s because in general the pool of IP addresses assigned to residential or mobile wireless connections cycles intermittently from one user to the next, meaning that blacklisting one residential IP for abuse or malicious activity may only serve to then block legitimate traffic (and e-commerce) from the next user who gets assigned that same IP.

A BULLETPROOF PLAN?

In one early post on Hackforums, Profitvolt laments the untimely demise of various “bulletproof” hosting providers over the years, from the Russian Business Network and Atrivo/Intercage, to McColo, 3FN and Troyak, among others.

All of these Internet providers had one thing in common: They specialized in cultivating customers who used their networks for nefarious purposes — from operating botnets and spamming to hosting malware. They were known as “bulletproof” because they generally ignored abuse complaints, or else blamed any reported abuse on a reseller of their services.

In that Hackforums post, Profitvolt bemoans that “mediums which we use to distribute [are] locking us out and making life unnecessarily hard.”

“It’s still sketchy, so I am not going all out to reveal my plans, but currently I am starting off with a 32 GB RAM server with a 1 GB unmetered up-link in a Caribbean country,” Profitvolt told forum members, while asking in different Hackforums posts whether there are any other users from the dual-island Caribbean nation of Trinidad and Tobago on the forum.

“To be quite honest, the purpose of this is to test how far we can stretch the leniency before someone starts asking questions, or we start receiving emails,” Profitvolt continued.

Hackforums user Profitvolt says he plans to build his own “bulletproof” hosting network catering to fellow forum users who might want to rent his services for a variety of dodgy activities.

KrebsOnSecurity started asking questions of Resnet after stumbling upon several indications that this company was enabling different types of online abuse in bite-sized monthly packages. The site resnetworking[.]com appears normal enough on the surface, but a review of the customer packages advertised on it suggests the company has courted a very specific type of client.

“No bullshit, just proxies,” reads one (now hidden or removed) area of the site’s shopping cart. Other promotions advertise the use of residential proxies to promote “growth services” on multiple social media platforms including CraigslistFacebook, Google, Instagram, Spotify, Soundcloud and Twitter.

Resnet also peers with or partners with several other interesting organizations, including:

residential-network[.]com, also known as “IAPS Security Services” (formerly intl-alliance[.]com), which advertises the sale of residential VPNs and mobile 4G/IPv6 proxies aimed at helping customers avoid being blocked while automating different types of activity, from mass-creating social media and email accounts to bulk message sending on platforms like WhatsApp and Facebook.

Laksh Cybersecurity and Defense LLC, which maintains Hexproxy[.]com, another residential proxy service that largely courts customers involved in shoe botting.

-Several chunks of IP space from a Russian provider variously known by the names “SERVERSGET” and “Men Danil Valentinovich,” which has been associated with numerous instances of hijacking vast swaths of IP addresses from other organizations quite recently.

Some of Profitvolt’s discussion threads on Hackforums.

WHO IS RESNET?

Resnetworking[.]com lists on its home page the contact phone number 202-643-8533. That number is tied to the registration records for several domains, including resnetworking[.]com, residentialvpn[.]info, and residentialvpn[.]org. All of those domains also have in their historic WHOIS records the name Joshua Powder and Residential Networking Solutions LLC.

Running a reverse WHOIS lookup via Domaintools.com on “Joshua Powder” turns up almost 60 domain names — most of them tied to the email address joshua.powder@gmail.com. Among those are resnetworking[.]info, resvpn[.]com/net/org/info, tobagospeaks[.]com, tthack[.]com and profitvolt[.]com. Recall that “Profitvolt” is the nickname of the Hackforums user advertising resnetworking[.]com.

The email address josh@tthack.com was used to register an account on the scammer-friendly site blackhatworld[.]com under the nickname “BulletProofWebHost.” Here’s a list of domains registered to this email address.

A search on the Joshua Powder and tthack email addresses at Hyas, a startup that specializes in combining data from a number of sources to provide attribution of cybercrime activity, further associates those to mafiacloud@gmail.com and to the phone number 868-360-9983, which is a mobile number assigned by Digicel Trinidad and Tobago Ltd. A full list of domains tied to that 868- number is here.

Hyas’s service also pointed to this post on the Facebook page of the Prince George’s County Economic Development Corporation in Maryland, which appears to include a 2017 photo of Mr. Powder posing with county officials.

‘A GLORIFIED SOLUTIONS PROVIDER’

Roughly three weeks ago, KrebsOnSecurity called the 202 number listed at the top of resnetworking[.]com. To my surprise, a man speaking in a lovely Caribbean-sounding accent answered the call and identified himself as Josh Powder. When I casually asked from where he’d acquired that accent, Powder said he was a native of New Jersey but allowed that he has family members who now live in Trinidad and Tobago.

Powder said Residential Networking Solutions LLC is “a normal co-location Internet provider” that has been in operation for about three years and employs some 65 people.

“You’re not the first person to call us about residential VPNs,” Powder said. “In the past, we did have clients that did host VPNs, but it’s something that’s been discontinued since 2017. All we are is a glorified solutions provider, and we broker and lease Internet lines from different companies.”

When asked about the various “botting” packages for sale on Resnetworking[.]com, Powder replied that the site hadn’t been updated in a while and that these were inactive offers that resulted from a now-discarded business model.

“When we started back in 2016, we were really inexperienced, and hired some SEO [search engine optimization] firms to do marketing,” he explained. “Eventually we realized that this was creating a shitstorm, because it started to make us look a specific way to certain people. So we had to really go through a process of remodeling. That process isn’t complete, and the entire web site is going to retire in about a week’s time.”

Powder maintains that his company does have a contract with AT&T to resell LTE and 4G data services, and that he has a similar arrangement with Sprint. He also suggested that one of the aforementioned companies which partnered with Resnet — IAPS Security Services — was responsible for much of the dodgy activity that previously brought his company abuse complaints and strange phone calls about VPN services.

“That guy reached out to us and he leased service from us and nearly got us into a lot of trouble,” Powder said. “He was doing a lot of illegal stuff, and I think there is an ongoing matter with him legally. That’s what has caused us to be more vigilant and really look at what we do and change it. It attracted too much nonsense.”

Interestingly, when one visits IAPS Security Services’ old domain — intl-alliance[.]com — it now forwards to resvpn[.]com, which is one of the domains registered to Joshua Powder.

Shortly after our conversation, the monthly packages I asked Powder about that were for sale on resnetworking[.]com disappeared from the site, or were hidden behind a login. Also, Resnet’s IPv6 prefixes (a la IAPS Security Services) were removed from the company’s list of addresses. At the same time, a large number of Profitvolt’s posts prior to 2018 were deleted from Hackforums.

EPILOGUE

It appears that the future of low-level abuse targeting some of the most popular Internet destinations is tied to the increasing willingness of the world’s biggest ISPs to resell discrete chunks of their address space to whomever is able to pay for them.

Earlier this week, I had a Skype conversation with an individual who responded to my requests for more information from residential-network[.]com, and this person told me that plenty of mobile and land-line ISPs are more than happy to sell huge amounts of IP addresses to just about anybody.

“Mobile providers also sell mass services,” the person who responded to my Skype request offered. “Rogers in Canada just opened a new package for unlimited 4G data lines and we’re currently in negotiations with them for that service as well. The UK also has 4G providers that have unlimited data lines as well.”

The person responding to my Skype messages said they bought most of their proxies from a reseller at customproxysolutions[.]com, which advertises “the world’s largest network of 4G LTE modems in the United States.”

He added that “Rogers in Canada has a special offer that if you buy more than 50 lines you get a reduced price lower than the $75 Canadian Dollar price tag that they would charge for fewer than 50 lines. So most mobile ISPs want to sell mass lines instead of single lines.”

It remains unclear how much of the Internet address space claimed by these various residential proxy and VPN networks has been acquired legally or through other means. But it seems that Resnet and its business associates are in fact on the cutting edge of what it means to be a bulletproof Internet provider today.

Tags: , , , , , , , , , , , , , , , , , , ,

58 comments

  1. The Sunshine State

    Another great article, informative article from Krebs

  2. Well done once again, Brian.

  3. So what is this article about?

    Guys obtain IP addresses and make a legit registered business with them, reselling them for VPN’s and proxies?

    What’s the problem here? Legit business as any other.
    Proxies were and always will be part of internet and there are plenty of providers.

    • Oh rats, I forgot to add a “TL;DR” bit for commenters who can’t be bothered to read.

    • Josh – since you didn’t bother to read the article, here is a quote:
      “A call to the WDSPC revealed the nonprofit hadn’t leased any new wireless data IP space in more than 10 years. That is, until the organization received a communication at the beginning of this year that it believed was from AT&T, which recommended Resnet as a customer who could occupy some of the company’s mobile data IP address blocks.

      “I’m afraid we got duped,” said the person answering the phone at the WDSPC, while declining to elaborate on the precise nature of the alleged duping or the medium that was used to convey the recommendation.

      AT&T declined to discuss its exact relationship with Resnet — or if indeed it ever had one to begin with. It responded to multiple questions about Resnet with a short statement that said, “We have taken steps to terminate this company’s services and have referred the matter to law enforcement.””

    • Rube Goldberg's Razor

      Josh? Josh Powder?!? Is that you? U mad bro?

  4. New meaning to that old phrase about “taking a Powder…” Another great story illuminating this brave new world, Brian.

  5. Great article. I’m curious, do you foward this information to the authorities?

    • Thanks, Ian. That’s not really what I do, but I believe from AT&T’s statement that they have done so.

      • Ian probably doesn’t know the difference between a journalist and a snitch.

      • Sounds like Mr. Powder doesn’t like your article.

      • I’d be surprised if At & T does anything with it…

        I notified them that they had a some kind of redirect or malvertising that malwarebytes classified as a trojan on their main page and it took forever to get any action…called, emailed, tweeted, etc.

        Hope none of their customers were affected

  6. https://www.quora.com/profile/Joshua-Powder/questions
    He sure asks some pointed questions…and also answers them about VPNs as early as this past Feb.

  7. The problem is that many companies would rather not look too hard at who they are doing business with until something negative comes to light. Then they get all defensive and claim they had no idea their customer was bad.

    This is so common, there should be a name for it.

    • I feel like they’d go with “plausible deniability”

    • Not just “customers,” but
      partners
      affiliates
      contractors
      subsidiaries

      What are they? What are their definitions, and do the definitions change as their rolls change?

      All the above are means to distance principals from the shenanigans their partners and affiliates, or – in this case – customers, engage in.

      A small example is:

      *********quote***************
      In a written statement, Google said the lyrics on its site, which pop up in little search-result squares called “information panels,” are licensed from partners, not created by Google.

      “We take data quality and creator rights very seriously and hold our licensing partners accountable to the terms of our agreement,” Google said.

      After this article was published online Sunday, Google issued a second statement to say it was investigating the issue raised by Genius and would terminate its agreements with partners who were “not upholding good practices.”

      **********Unquote*****************
      – Lyrics Site Accuses Google of Lifting Its Content
      https://www.wsj.com/articles/lyrics-site-genius-com-accuses-google-of-lifting-its-content-11560677400

    • Rube Goldberg's Razor

      It’s called, “It’s all about the bucks, kid, and the rest is conversation.” ~ Gordon Gekko, “Wall Street”, 1987

    • Thought of one! You ready? Drum roll, please ……………..

      >>Liability Shifting<<

      Corporations engage contractors, partners, affiliates, subsidiaries, and sometimes their own customers to shift liability away from the principals . . .

  8. Never trust anyone speaking Jafakin

  9. Excellent reporting Brian! I suspect that someone(s) will be getting law enforcement attention soon, if not already. Deleting information shortly after an inquiry is a great sign of something to hide. Also, some folks take screenshots of things before inquiring. 😉

    Wow, I did not know this… massive traffic!

    “…such automated bot activity now accounts for almost half of the Internet bandwidth directed at online retailers…”

    • The posts were restored after a quick chat with the site administrator, and his ability to edit/delete these posts was removed, as was his site access for 1 year. Everything he tried to hide is back.

  10. That little resnet pos is actually complaining about the freedom of speech… Wow

  11. Maybe it’s a coincidence, but the servers I manage have recently been hit with a storm of attempts to hack our ssh ports. Some attacks originate in China, but a lot of them are from residential IP address ranges. Although the largest source seems to be NY-based digital Ocean. We changed our ssh port from the default 22 a couple of years ago, which stopped attacks completely. Until last week. So the hackers have found our new port.

    • Changing your port won’t really do much, it’s easy as hell to just scan for the new one.

      • Yes, it is trivial for attackers to eventually find your new SSH port…. but for automated attacks (bots) every packet is a commodity.

        Changing ports won’t fool a human… but most likely, you are getting hit by a botnet. Changing to an uncommon port, is absolutely effective. Security through obscurity has gotten a bad rap, it should still be in a defender’s arsenal and combined with other defenses “in depth”.

      • Changing the port worked for 4 years, so don’t discount it. Our primary defenses are:
        fail2ban, with a 24 hour lockout
        We do not allow passwords, only RSA key pairs for accessing the ssh and sftp ports.

    • I think the bigger question here is, why do you have SSH open to the internet? You shouldn’t consider changing SSH to another port, you should consider not allowing SSH publicly to begin with. What’s the reason for it being public?

      • Why do you assume he runs a corporate network with a datacenter or significant infrastructure to remotely manage his servers?

        How else is someone who runs a few basic VPS boxes going to administer servers?
        Sure, set up an OpenVPN,… that’ll give attackers an extra step… but oops, run that on a common port too, same problem.

    • PDCLarry, Digital Ocean is such a mess that we have blocked all of their IP ranges. We get scanned by bot-type scripts from that provider constantly. I assume they aren’t asking many questions of their customers, either.

      Anyone selling vpn services out of a residential block is trying to avoid something. Huge red flag for me.

    • Digital ocean is starting to respond to abuse reports albeit slowly. They host a lot of the traffic I throw away due to brute force attempts. I think I’ve blocked just about all the sub nets they host. It was a lot of /20’s. They claim that they have to use small chunks due to being blocked by anti spam sites. I believe it.

  12. @Larry if you have SSH open to the public internet, and you think changing to a non-standard port offers any real amount of protection, your servers should probably look for a new manager….

    • Home and Small Business networks might not have many options. I’d suggest VPN of course, but then you might have the same issue of keeping it on a common port (heartbleed was a good example).

      Changing from a common port to an uncommon one is not something you should “rely on” for complete security… But can be something to add for “defense in depth”.
      No, it won’t deter a human attacker with even few seconds to scan….

      But this article is more about botnets. Not humans.
      And for botnets, every packet sent is a commodity. They often cannot afford to scan every port on each host. Rather, they spray across many many hosts, for only the most common ports with common services.
      It would be a waste of attacker resources to do full tcp scans each host.

      So if you only have a few users, and can switch to an uncommon port, it won’t hurt anything. No downside. Just understand that if a human were to look further, they will find it. This would only be a mitigation for botnets.

      • A VPN isn’t going to do any good if SSH is already public. It may help traffic in transit from the user to the server, but it’s doing absolutely nothing to protect the server itself. That’s what PDC_Emulator was referring to. This is where changing the ports come into play as you suggested, but the biggest concern is that SSH is public.

        • I understand that. My VPN suggestion would be to NOT have any other public ports open. And just go through a VPN first, then SSH locally.

          It is annoying when people just pile on with a “Why you do that?, you should do it this way”. There are many many reasons why someone could do it that way. Many, many small servers running in the cloud have single admins using SSH from the internet. There is not a simple rule that says, “don’t use SSH from the Internet”. Administrative control is needed by whatever method that is affordable.

          SSH being public makes me think that this is a very small network of cloud servers. Many times this isn’t even a full network, but a VPS or two running on AWS or something.
          I am assuming there must be a need for SSH being exposed.
          If some is running a few simple economy servers (VPS) in the cloud for whatever reason, they may not have the infrastructure to manage console access any other way. VPN concentrators, jump boxes, vSphere, etc. And SSH “can” be set up with nearly as much security as a basic VPN. Public Keys, firewall rules for specific inbound IPs, etc.

          SSH is still encrypted. This isn’t Telnet here. VPNs have more/better options for encryption of course, but SSH can use certs, and good crypto, just like VPN.

          My main point is that a service running on any common port is exposed. VPNs have this problem too. When a vulnerability like Heartbleed comes out… based on OpenSSL… it affected VPN and SSH alike.

          The big issue here is how a botnet will target the internet at large. Not some hacker looking for secured SSH on some uncommon port by doing a full scan… but rather a botnet looking for unpatched common services running on common ports.

    • I have one word for you. ssh-gaurd
      port22 all day long bro.

      • Julian Niemeyer

        Genius. Just looked at their website ww.sshguard.net

        502 Bad Gateway – nginx/1.16.1

        What an incredible way to protect your site by pretending it is down! Security through obscurity at its absolute best.

        So can you let me in on the secret of how I get past it?

      • Brute force protection is but 1 way to protect.
        Definitely a good add to the “defense in depth”.
        But if there are only a few admins, then an uncommon port still has value.

        Remember, switching to uncommon ports is NOT about mitigating against brute force, where an attacker knows you are there, the service that is running, and wants to crack the login password.

        Rather, this is about botnets that do not yet know you are there. And only have the bandwidth to scan for common ports. Botnets don’t do full tcp scans of all 65k+ ports, they look for common services on common ports, and will move to the next host after only a few ports.

        So yes, absolutely use fail2ban or ssh-guard. But if it suits you, might as well move to an uncommon port.

    • As I said, it worked for 4 years. And it isn’t our only defense.

  13. Fraud is so common on the web it is also probably 1/4 of the money. Are we going to say Bitcoin turned into a valuable commodity by washing money for nice guys? Some companies do not care as long as they make money on something or at least their sales people making commission do not.

  14. I remember something like this happening in The Netherlands around the turn of the century.

    The ISP called Megaprovider had, or so they claimed, IP addresses assigned to systems in their datacenter and also addresses, with an .adsl prefix, assigned to private customers in the country.

    The servers seemed to be used to legitimate customers, like hotels. The ADSL lines all were used to send out spam. When they got an abuse report the abuse would stop and appear on another IP address (in the ADSL range) within days, sometimes hours.

    I called the owner out on this in a public “forum”, Usenet News. He did complain about me through a letter to my director. After explaining my findings to the director he send a letter back. I have never heard him complain after that.

    At one moment I got them with their hands in the cookie jar so to speak. We had a spam outbreak, systems in our dorms sending out spam. When examining network connections there was one thing that stood out.

    A connection was made from the Megaprovider ADSL range to a backdoor port on a system in our dorms.
    After a few seconds the system would start sending spam.
    Then the connection from Megaprovider would end.
    Within a second the spam flood would stop.

    We found several Megaprovider IP addresss making the connection and each sending the same spam through our systems. That is when we blocked Megaprovider IP ranges on our firewall.

    In 2003 other ISP’s in The Netherlands stopped accepting traffic from Megaprovider. They disappeared shortly thereafter. It appears they were charged in Illinois around that same time:
    https://www.ftc.gov/enforcement/cases-proceedings/032-3030/westby-brian-d-et-al

  15. So it is….

    www[.]resnetworking.com

    Please forgive our dust!

    Under maintenance.

  16. Excellent article – the research and deep dive is impressive. Kudos!

    One thing that sticks out with Profitvolt is how articulate and well spoken they are. This individual has some education under their belt and should be able to secure a well paying job. ALl I have to say is this: whiskey tengo foxtrot?

    • education + business intelligence + gumption is no match for simple hiring discrimination, which you can’t honestly say isn’t rampant, and it produces criminality-

      affirmative action has its benefits
      because it we can’t make it
      WE WILL TAKE IT

      • that’s ironic you say that…
        If you are indifferent about committing theft, it probably wasn’t hiring discrimination in the first place. It was good judgment.

        There is always a way, for people who want to do better. And there is always an excuse, for people looking for shortcuts and quick bucks.

  17. Thanks Brian, great info as usual.

  18. Seems like the big ISPs might need to follow the same type of “Know you customer” standard as banks do with regard to AML/Terrorist funding.

    In that regard, I wonder if the recent talk from some of the big CEO (e.g. Jamie Diamond from Chase) regarding the move in perspective from only serving shareholder profit interests at the expense of all others will have any spillover here. The ISP really (not just lip service legal talk) self regulate or if the industry will need the 3rd party (generally government) to make that work.

  19. Great article and thank you for you’re work. You’ve just answered a question I’ve been having for over a year

    Over the last year+ I have tracked some extremely weird traffic to our network. We have IPs sets that we’ve tracked to either all residential IPs or all mobile IPs, usually segregated to certain geographic areas. Some were weird enough for us to act on based on other factors, but there were some that were suspicious that didn’t get acted on.

    Very interesting stuff. We will certainly be doing a better job of tracking those IPs.

    If you are starting a collection of those blocks or similar, I could likely contribute.

  20. “In one early post on Hackforums, Profitvolt laments the untimely demise of various “bulletproof” hosting providers over the years, from the Russian Business Network and Atrivo/Intercage, to McColo, 3FN and Troyak, among others”.

    Josh Powder, may be a very longtime operator.

  21. “…not unheard of for hosting providers to forge certain documents in their quest for additional IP space…”
    “An examination of the IP address ranges assigned to Resnet…”

    The IP address ranges labeled Resnet Inc are listed as at Hyattsville, MD 20784, with more details–not saying not falsified.

  22. Joshy mi tell yuh gwan get caught playin wit di computah bwai. ya mek mi head swell bwai. yuh best guh home bak to trinidad

  23. I just can’t ignore this.

    There’s no such thing as “IPs.” The correct term is “IP addresses.”

    There is also no such thing as “IP range.” The correct term is “IP address range.”

  24. Hey. I have some more information on Josh Powder. Krebs, if you’re interested email me

Leave a comment