21
Jan 21

DDoS-Guard To Forfeit Internet Space Occupied by Parler

Parler, the beleaguered social network advertised as a “free speech” alternative to Facebook and Twitter, has had a tough month. Apple and Google removed the Parler app from their stores, and Amazon blocked the platform from using its hosting services. Parler has since found a home in DDoS-Guard, a Russian digital infrastructure company. But now it appears DDoS-Guard is about to be relieved of more than two-thirds of the Internet address space the company leases to clients — including the Internet addresses currently occupied by Parler.

The pending disruption for DDoS-Guard and Parler comes compliments of Ron Guilmette, a researcher who has made it something of a personal mission to de-platform conspiracy theorist and far-right groups.

In October, a phone call from Guilmette to an Internet provider in Oregon was all it took to briefly sideline a vast network of sites tied to 8chan/8kun — a controversial online image board linked to several mass shootings — and QAnon, the far-right conspiracy theory which holds that a cabal of Satanic pedophiles is running a global child sex-trafficking ring and plotting against President Donald Trump. As a result, those QAnon and 8chan sites also ultimately ended up in the arms of DDoS-Guard.

Much like Internet infrastructure firm CloudFlare, DDoS-Guard typically doesn’t host sites directly but instead acts as a go-between to simultaneously keep the real Internet addresses of its clients confidential and to protect them from crippling Distributed Denial-of-Service (DDoS) attacks.

The majority of DDoS-Guard’s employees are based in Russia, but the company is actually incorporated in two other places: As “Cognitive Cloud LLP” in Scotland, and as DDoS-Guard Corp. based in Belize.  However, none of the company’s employees are listed as based in Belize, and DDoS-Guard makes no mention of the Latin American region in its map of global operations.

In studying the more than 11,000 Internet addresses assigned to those two companies, Guilmette found that approximately 66 percent of them were doled out to the Belize entity by LACNIC, the regional Internet registry for the Latin American and Caribbean regions.

Suspecting that DDoS-Guard incorporated in Belize on paper just to get huge swaths of IP addresses that are supposed to be given only to entities with a physical presence in the region, Guilmette filed a complaint with the Internet registry about his suspicions back in November.

Guilmette said LACNIC told him it would investigate, and that any adjudication on the matter could take up to three months. But earlier this week, LACNIC published a notice on its website that it intends to revoke 8,192 IPv4 addresses from DDoS-Guard — including the Internet address currently assigned to Parler[.]com.

A notice of revocation posted by LACNIC.

LACNIC has not yet responded to requests for comment. The notice on its site says the Internet addresses are set to be revoked on Feb. 24.

DDoS-Guard CEO Evgeniy Marchenko maintains the company has done nothing wrong, and that DDoS-Guard does indeed have a presence in Belize.

“They were used strongly according [to] all LACNIC policies by [a] company legally substituted in LACNIC region,” Marchenko said in an email to KrebsOnSecurity. “There is nothing illegal or extremist. We have employers and representatives in different countries around the world because we are global service. And Latin America region is not an exception.”

Guilmette said DDoS-Guard could respond by simply moving Parler and other sites sitting in those address ranges to another part of its network. But he considers it a victory nonetheless that a regional Internet registry took his concerns seriously.

“It appeared to me that it was more probable than not that they got these 8,000+ IPv4 addresses by simply creating an arguably fraudulent shell company in Belize and then going cap in hand to LACNIC, claiming that they had a real presence in the Latin & South American region, and then asking for 8,000+ IPv4 addresses,” he said. “So I reported my suspicions to the LACNIC authorities in early November, and as I have only just recently learned, the LACNIC authorities followed up diligently on my report and, it seems, verified my suspicions.”

In October, KrebsOnSecurity covered another revelation by Guilmette about the same group of QAnon and 8chan-related sites that moved to DDoS-Guard: The companies that provided the Internet address space used by the sites were defunct businesses in the eyes of their respective U.S. state regulators. In other words, the American Registry for Internet Numbers (ARIN) — the non-profit which administers IP addresses for entities based in North America — was well within its contract rights to revoke the IP space.

Guilmette brought his findings to ARIN, which declined to act on the complaint and instead referred the matter to state investigatory agencies.

Still, Guilmette’s gadfly efforts to stir things up in the RIR community sometimes do pay off. For example, he spent nearly three years documenting how $50 million worth of the increasingly scarce IPv4 addresses were misappropriated from African companies to dodgy Internet marketing firms.

His complaints about those findings to the African Network Information Centre (AFRINIC) resulted in an investigation that led to the termination of a top AFRINIC executive, who was found to have quietly sold many of the address blocks for personal gain to marketers based in Europe, Asia and elsewhere.

And this week, AFRINIC took the unusual step of officially documenting the extent of the damage wrought by its former employee, and revoking discrete chunks of address space currently being used by marketing firms.

In a detailed report released today (PDF), AFRNIC said its investigation revealed more than 2.3 million IPv4 addresses were “without any lawful authority, misappropriated from AFRINIC’s pool of resources and attributed to organizations without any justification.”

AFRINIC said it began its inquiry in earnest back in March 2019, when it received an application by the U.S. Federal Bureau of Investigation (FBI) about “certain suspicious activities regarding several IPv4 address blocks which it held.” So far, AFRNINIC said it has reclaimed roughly half of the wayward IP address blocks, with the remainder “yet to be reclaimed due to ongoing due diligence.”

Tags: , , , , , , , , , , ,

374 comments

  1. Thank you Brian for reporting on this.
    And hats off to Ron for digging into these quagmire(s).
    Sad to see that it hasn’t shown up on mainstream outlets.

    Stay Safe.

  2. Reading the threads on this website, esp. on the 1/16 Solarwind hacks, the utter subjectiveness and dweebisness of our corporate owned IT ‘community’ makes me realize how totally defenseless we are in the real world.

    • It’s not the IT community. And certainly not the cyber security community that has infested the comments.

      It’s really a product of how the Krebs on Security articles get attention in the very circles which Krebs investigates.

      A major cyber security breach perpetrated by Russian intelligence, will attract a flock (gaggle) of Russian sock puppets or bots to drop variations of the same comments.

      Brian Krebs has often written about smaller cyber crime organizations, which have resulted in many leaving comments attacking Krebs and other cyber security professionals.

      Lately, Krebs has been writing more about Qanon and other extreme right wing Ne’er-Do-Wells. These articles are tagged as such too.
      So they show up en masse in the comment threads too.

      • Any time the lights come on, the cockroaches scurry back to the darkness, but they are NOT happy about the person who turned on the lights.

        Eastern european criminals have been angry at Brian for a long time for turning on the lights, it seems only fair for western criminals/whackadoodle conspiracy theorists to finally get angry too.

  3. Nicholas Keisel-Stagnone

    They’re always from Kosovo, Brian…
    That’s the real tragedy of it all…

    How’s your Russian these days?

    You claimed to be learning a few years ago. Were you just yanking my chain…or are taking a trip here?

  4. Povl H. Pedersen

    Now, will ARIN have the right wingers replaced after the election ?
    It is clear that a non-profit should react on information that the holding entities no longer legally exists.
    Expecially in times where they manage a scarce resource.

  5. Interesting what you say here, for sure. Thanks for talking about these issues related to security.
    I wonder what will happen with this site and others like it. Let’s see

  6. Its all illuminati shiet fraudsters scammers bitcoins mob mafia
    Same shiet same the secret service all same
    Nornal person dont scam dont con but working and do good for society

  7. Awesome show with free popcorn flavored with salty tears. Delicious. Five Stars.

    Some fun: Can any company support free speech without moderation? What happens when the tool becomes a favorite hub for criminal activity? What happens when police get involved? What do you do about people whom disrupt civil discourse?

    Rip Parlor – Death of a million trolls and counting.

  8. It’s a shame that Ron is so biased that he only goes after the extremes on the “right”. Extremes on either end are not good.

    • Can you give an example of the other end?
      Some extreme left website that is currently abusing an Internet Address registrar for illegal IP space allocation?

      • Haaaa! If Mr. Krebs did that, he’d get canceled.
        Woke is no joke, blokes.

        • Exactly, every time I ask for evidence of this false equivalency, I get nothing but silence and you just proved my point.

          • I think that sort of reply is what’s called “bad faith”, a normal person can find examples with minimal effort, including famous examples like the left-wing Jonestown.

            • That proves my point.

              That you have to go far back into history to find something that resembles an example of a true left wing threat to democracy that is near equivalent to the insurrection we are seeing today from the right.

              • I suppose you consider Antifa fine, upstanding citizens, and that Weather Underground were peaceful protesters. To act as if there aren’t extremes on both sides is myopic.

                • Not at all.
                  I’m not denying there are extremes on both sides. Just that they are never equal, at the same time in history.
                  The pendulum swings over the decades. And today isn’t like 1776, it isn’t like 1968, it is much closer to 1860 or 1923.

                  The radical left movements of the 1960’s are NOT happening today. Antifa exists, but isn’t the existential threat that the radical right tries to make them out to be. The threat of Communism taking over the world was the biggest threat, but it is no longer. Right wing fascism, however, is the current threat.

                  Just look at how Antifa is blamed for everything, even for events in which they weren’t even present, nor had any desire to be present.
                  The Antifa threat is a 99% fictional boogeyman. Along with the caravans.

                  Hitler’s time was the 1920’s and 1930’s. It is eerily familiar to hear the same rhetoric today, about how Communists and some racial minority groups are conspiring to destroy the homeland from within. Remember who they blamed the burning of the Reichstag? Communists. If there wasn’t as much video of the Capitol insurrection… they would also convince people that it was really Antifa who stormed the building. Even with clear video and undisputed confession… some on the right still took the public for gullible idiots, and tried to blame Antifa.

                  Communism became such a global threat, in part, because as Hitler started to lose his grip on Europe, Stalin moved into the power vacuum quickly to set up far left regimes. Same in Manchuria and North Korea after Japan lost its grip. The pendulum swung from far right, to far left. Now, we are seeing the far right take control.

                  So, yeah, there are extremes on both sides. Duh… but to act as if they are equal… is naive.

  9. I would rather have nut jobs talking on a platform they can be identified on, and held accountable. Than on some secret squirrel site, hiding them until they do some incredibly stupid thing, and its to late to stop them.
    In short – Let stupid people identify themselves to the world before they do stupid actions, so we help and or stop them.
    Like Portugal did with drugs.

    • Agreed.

      Let them talk out in the open. Let them use sites where there are plenty of FBI informants and web crawlers. Their plans will be revealed.
      If course, Parler and these others are still open for this kind of thing. They’re not secret squirrel sites that hide them. In fact, many profiles there are verified with personal data.

      Facebook, YouTube and Twitter on the other hand… Have secret proprietary algorithms that spread messages much farther and faster than just posts on a message board.
      That means depending on who your friend of a friend of a friend is… You’ll see these nut jobs and what they are saying.

      They should be free to say whatever (legal speech)… But these social media platforms are used as RECRUITING accelerators, because they put this content in front of people not looking specifically for it.

      As long as there are algorithms for what’s “trending”, the hate speech and conspiracy theories should not be able to abuse the system to SPREAD their message. They can DISCUSS their message with anyone who opts into such, by explicitly browsing to a website, page or blog.

  10. Sad situation when a left wing activist like Ron Gaulimette can pressure to shut down right wing opinions by labelling them all as (violent conspiracy theorists etc). Where was and is he when groups like Antifa and BLM promote violence? Big tech needs to stand up and not support and or cave into left wing pressure. If not they will just increase distrust in the media and their intentions.

    • You obviously didn’t read the article.

      • Do you not have a job to do other than post your political opinions after every comment? You post a negative childish reply for every single comment that mentions the fact that Ron is only concerned with right wing “issues” and likewise is ok with left wing groups such as Antifa and BLM preaching hate and conspiracy theory non stop on the same platforms. Ron is a left wing activist with an agenda and the tech platforms are not being even handed in their responses.

        I have been on this forum since inception and I am sure the vast majority of security professionals know that freedom of speech is now being impacted by the uneven behaviour shown in recent cases. We are letting left wing activists shout the loudest and get their way.

        • A simple RSS feed alert allows me to casually reply. If you have been on this forum and understand IT, you would know how easy it is.
          And I am replying to the persistent ignorance of comments from people like you, who either haven’t read the article and/or don’t understand the concepts discussed in the article. If you have been on this forum since its inception… you should learn to read the articles instead of commenting first based on your hurt feelings seeing other comments.
          Since you are more likely to read comments, than the actual article… let me educate you about what happened.

          Ron Guilmette is targeting Conspiracy Theory sites who are either breaking the law or violating the policies of the infrastructure they are using. This has been true for ALL the cases where Guilmette has taken action. Whether that is far right or far left… is wholly dependent on whether a website/service is a conspiracy theory site.

          You cry foul because he’s not targeting Antifa and BLM conspiracy theory websites? Can you name any? They might be some out there, but they have no real traction. The only far-left conspiracy theory groups I know of, are the anti-vaxxers. And they also spread their lies on the same platforms Guilmette has targeted.

          So go ahead… provide the names of platforms/services/websites that cater specifically to extreme-left conspiracy theories and have run afoul of infrastructure providers like defrauding an Internet Address Registry.
          Every time someone makes a false equivalency like this, I ask them to provide the true equivalent… and they fail to respond.

          The real issue at hand… is that YOU have been moved to the right by unfettered rhetoric and propaganda coming from the right. The Overton Window has shifted to the right. And so have your views, to the point that everything else seems like left wing activism, when they are really moderate.
          You don’t know what the “vast majority of security professionals” are thinking.

          There are a LOT of independents and moderates like myself who see both left and right extremism for what it is. And acknowledge that right now, the “right” is the bigger danger to our society. At some point, the left will be the greater threat. But today, the right has no equivalent on the left. There is a reason why corporate America and tech platforms support BLM. Its because BLM is similar to the 1960’s Civil Rights Movement (Antifa is like the radical groups like Black Panthers or Nation of Islam). Moderates can recognize the positive movement for justice, while rejecting the extreme/violent elements of the same. If you were even a moderate conservative, you would also reject the extreme of your side and reject Qanon as well.

          But instead, you are believing the rhetoric coming from the right that is telling you that there is an equivalency on the left and that the left is the real problem. Nope. The Overton Window has shifted to the right, so that even moderates seem like liberals to you. And that is why it took only minutes for people on the right to turn on Fox News and call for Pence’s head.

          Freedom of speech is not at risk. We have exponentially more free speech than our previous generation. What used to cost a LOT of money to print pamphlets, newspaper editorials, radio and TV broadcasts… now, an individual with ZERO DOLLARS can walk into a public library, create a social media account and reach millions of followers. And with just a home broadband, a camera and a mic… millions of people attain millions of followers just by speaking their opinion… and virtually no extra cost.
          That kind of free speech is unheard of in human civilization. And well beyond the imagination of the founding fathers intention.

          • Please let the free market sort out what is popular/desired. Political activists of any persuasion should only be allowed to persuade.

            The ability to persuade others demands the ability to communicate with others, without interference. You know, free speech. You know, the 1st Amendment.

            You are dangerously ignorant… the 1st Amendment is at great risk. “Hate speech” is a direct example. (Go read some Dershowitz books). Mob rule is not a good thing. Nor is censorship.

            Imagine if folks with enough power deemed Krebsonsecurity to be a legitimate enemy, and had him de-platformed.

            That would be the end of this good man’s career.

            I doubt you’d applaud that.

            • How do you think the first amendment is at risk? You don’t even know the words.

              Like a war on Christmas, you have been fed lies and propaganda, claiming that something is under attack, and you don’t even know what it means.

              You are dangerously ignorant if you believe dershowitz over the US Constitution. Is that the guy who defended OJ Simpson, Jeffrey Epstein and Harvey Weinstein?

              If that is who you are reading, and you’re on the same side as white supremacist, then you have no moral ground to stand on.

              A free market of ideas is exactly what we have, and is what I am defending. Internet companies, no matter how big they get, still have rights. They have the freedom to deny access to their platforms. In accordance with their own contracts and user agreements.

              Why do you want to force private individuals to host any speech? It should be up to them whether or not they want to allow certain content. They are private business owners and they built the infrastructure and platform.

              If Brian Krebs decided to break contracts or violate policies of any of the services that this site depends on, they would be within their rights to deplatform him. And that would be fine by me too.
              And Brian has every right to build his own infrastructure and platform and not be dependent on anybody.

              • Great to see someone that actually knows truth and isn’t afraid of telling others how the world really works. You’re doing great work my friend! It’s sad to see so many people being brainwashed into believing right-wing propaganda.

          • How does it feel to be a Mr. know-it-all INCEL?

          • Hi Jammin!

            I loved your comments. I think it is interesting how polarizing politics are today and how many people are passionate about the current issues.

            However, I think it is not a good idea to generalize all ideas presented by the right as conspiracies especially when the fact checkers used to debunk such theories are owned by people intimately connected with those who are being questioned. This alone should indicate a bias.

            Additionally, it is possible to argue that the left has also been fed lies and propaganda to influence their beliefs just as effectively as the right. I think it is interesting when I scroll through any popular media site and see that the videos and articles are full of opinion pieces and commenters.

            The issue with Amazon removing Parler is that they removed it because they claimed it was full of right-wing extremists who were perpetrating conspiracies. If indeed their goal is to remove misleading information, then Amazon should also remove Twitter from their services because there is a lot of misleading information on there too. I have been witness to many people calling for “kill all men” or “eat the rich” which are arguably calls to violence. Instead of censoring and removing anyone we disagree with from having a platform, people should be educated on how to find out the information themselves as well as be educated on how easy it is to emotionally manipulate a person.

            I am a Libertarian and enjoyed the freedom of thought I was able to experience by being on Twitter and Parler. We should embrace each other with unity (as our current president calls for) and understanding instead of pushing away those we disagree with.

            If you took a deep dive into the conspiracies, you could be surprised at the validity some of them have. I’ve put a few resources here below for your convenience to read at your leisure:

            Fauci et. al:
            https://www.ncbi.nlm.nih.gov/pmc/articles/PMC2599911/

            Dr. James Meehan’s verbal warning:
            https://principia-scientific.com/covid-19-masks-causing-rise-in-bacterial-pneumonia/

            Vaccine Effectiveness:
            https://www.cdc.gov/mmwr/volumes/70/wr/mm7004a5.htm?s_cid=mm7004a5_w

            Mortality Rates:
            https://www.cdc.gov/library/covid19/pdf/2020-11-24-Science-Update_FINAL_public.pdf

            Pfizer’s projected earnings:
            https://www.bloomberg.com/news/articles/2021-02-02/pfizer-forecasts-15-billion-in-covid-vaccine-sales-for-2021

            • The thing about fact checking… is that the very process is resistant to bias. It doesn’t matter if the fact checker is a liberal or conservative. The facts are true or false. Opinion and bias do not enter into it. Read how the fact checks are written. Bias doesn’t show, because they only refute claims with facts, not opinion.
              If you don’t like the results of a fact check… why is it, you can’t just go to a politically opposed fact checker and find a different conclusion?
              The real issue at hand, is that people who tell lies, must also claim the news media is all fake, so they can proactively bypass fact checkers. Then when their lies get fact checked, they can then make an ad-hominem attack on the fact checkers, as if it would discredit their fact checks and allow their lies to stand unopposed.

              Yes, propaganda exists on both sides. The media, being profit driven, bears much of the responsibility for giving its audiences less real journalism, and more worldview confirming opinion. Unfortunately, we who consume the news must work harder to find more objective and fact based sources. It’s not easy, and we are very lazy. We don’t want to pay for news. We want it free, and we want it fast. Neither of those attributes are conducive to good journalism.

              “The issue with Amazon removing Parler is that they removed it because they claimed it was full of ___”…
              But that NOT the reason they removed Parler. That is what Parler will tell you, because they want to be considered a victim. A common defense of “whataboutism”.
              The real reason is complex. But to simplify a bit… it was because Parler was unable and/or unwilling to enforce their own policies.
              So lets address the fallacy of whataboutism. Twitter has orders of magnitude more content compared to Parler. If 40% of Parler is violating policy, but Parler doesn’t even attempt to take down the content. While on Twitter, you flag tweets that violate policy, and they make a serious, concerted and continuous effort to remove such content. Even if it is just whack-a-mole and they never fully succeed in enforcement. They at least keep trying.
              Amazon sent several letters. So did Apple and Google. Parler would not comply.

              For the most part YouTube, Twitter and Facebook DO react first by informing and educating rather than banning. Plenty of disclaimers and labeling took place, for months. Only when it became clear that these people had no interest in understanding, that they were banned.

              I am all for reasoned and rational discussion.
              Yes, I have read some of the source material for many of the conspiracy theories out there. But my scientific background and study of logical fallacies allows me to quickly dismiss such theories on the basis of fact. I understand through careful study of history, how lies and propaganda work. So I am never impressed or surprised when a big lie has some “validity”. Because I understand how all good lies must contain a certain amount of fact on which to anchor. So I can readily agree to the facts of the sources… without even remotely conceding to the wild conclusions of conspiracy.

    • It’s time someone shines a light on Ron Gaulimette (if in fact he’s an actual person)

      • It’s terrifying to think that I may soon be targeted by dopes who can’t even manage to spell my name right. 🙂

        • You don’t get to decided what web sites stay on the net and which ones don’t but regardless whether it’s in Roseville or elsewhere your day of reckoning will come and all the monkeys in the world won’t save you.

          • Wow… you have a grandiose delusion about what is happening, and what is possible.

            Defrauding an Internet Registrar for IP address allocation isn’t “deciding what web sites stay on the net and which ones don’t”

            It sounds like you don’t even understand how the Internet works. So what are you even doing on this blog? Oh, right… Krebs is writing about Ne’er do wells, and you heard your name called.

            • I was referring to Ron’s efforts to keep Parlor off the internet. That’s some grandiose delusion but his efforts are getting the attention they deserve.

              Talk about yer “Ne’er do wells”. More like a self appointed crybaby.

              • So your only gripe with Ron is that he’s a Tattletale?
                Because that’s what this article is about, him narcing on DDOS-Guard to the relevant authority.

                That’s what Ne’er do wells, do so well. They try to get away with fraud. Pretending they aren’t from Russia, or Eastern Europe,.. but that they are in South America. A lot of them use it to get around GeoIP firewall rules.

                None of this can keep Parler off the Internet. Nor is it intended to do such a thing.
                It just means that these people need to run their own infrastructure and do it legitimately.

    • Big Tech is corrupt as Hell. Just today it was revealed that Google erased hundreds and hundreds of negative ratings for the Robinhood app in the Google Play Store, ostensibly to raise it’s now 1-star rating back up to 4.

      They did it, allegedly, because Sequoia Captial was an early VC investor in Google. I’ll let you guess who was also an early VC funder of Robinhood…. yep. Sequoia Capital.

      • Stop trying to spread your Qanon nonsense here.

        Conspiracy theorists are a plague on the internet.

        • You mean like the russia russia russia conspiracy?

          • The Russian conspiracy investigations resulted in the indictments of 34 individuals and 3 Russian businesses on charges ranging from computer hacking to conspiracy and financial crimes. Those indictments have led to 7 guilty pleas and 5 people sentenced to prison.

            If you’re talking about pee pee tapes or other unfounded allegations… those are tabloids and should be discarded unless real proof is found.

            Qanon deals with conspiracy theories not grounded in reality. There are real criminals in Russia, and some in the US working with them.

            • >resulted in indictments
              Indicting Russians who have never been to America is prosecutorial misconduct, because it generates an illusion that people like you take up as if truth, when it is not what it appears to be. Indicting foreigners during a wave of jingoistic fury is easier than a one eyed man winking.

              • Seems like you can’t or won’t read past the first line.

                “7 guilty pleas and 5 people sentenced to prison.x

                Only a handful of the indictments were foreign.
                There were plenty of indictments that led to arrests, that led to convictions…. Here in the US.

                You also seem to have no understanding of how the criminal justice system works.

                As Brian Krebs has written extensively on this topic… Indictment does not require physical presence in the country. Nor does it require a reasonable chance of arrest.
                Indictments are formal charges that are very important and useful, especially in cyber crime.

                It allows targeting of possible co-conspirators and further evidence gathering within jurisdiction.
                And like so many other Russian criminals have found out, a US indictment restricts money flow from the criminal activity.

                Even without the possibility of extradition from Russia… An indictment from the US could cripple their profit and travel freedom. Oftentimes, they slip up and get themselves arrested in a friendly country to be extradited to the United States.

  11. This is a great blog, very helpful for my research regarding DDoS Guard. Thank you for sharing this.

  12. The weird quote marks around free speech, surely they are most ominous, surely the nation has lost its soul.

    • The quotes indicate how so many people who claim “free speech” actually don’t know what it means. They haven’t actually read the constitution since grade school, and they just repeat some contemporary mythos about what “free speech” means.

  13. Just Tired of Idiots

    I love you, JamminJ