Behaviors and Patterns of Bulletproof and Anonymous Hosting Providers

Tuesday, January 31, 2017 - 9:00am9:30am

Dhia Mahjoub, Principal Engineer, OpenDNS Research Labs


Bulletproof and anonymous hosting providers are key enabling factors of ransomware, phishing, and other cybercrime operations. Bulletproof hosters shield criminal content from abuse complaints and takedowns, whereas anonymous offshore hosters preserve privacy and free speech for their customers. Despite being conceptually different, the distinction between both classes tends to blur in practice. These hosters leverage multiple factors in their operations: the anonymity of the internet when establishing their businesses, heterogeneous laws and norms that exist in cross-border online spaces, and jurisdictions with little or no legislation to enforce laws against cyber criminals. Focusing threat intelligence efforts on these services and the actors that provide them is an important step to identifying and removing illegal and malicious content on the Internet. As an example, we choose The Netherlands, one of the world's top transit and hosting spaces, and through our research we bring together findings from the network and the field to shed light on criminal hosting in the Dutch IP space. This talk will be useful to threat analysts, security researchers, and law enforcement.

This is a joint work with Sarah Brown (Security Links/NATO).

Dhia Mahjoub, Principal Engineer, OpenDNS Research Labs

Dhia Mahjoub is the Principal Engineer of OpenDNS Research Labs (now part of Cisco) with more than 10 years of technology research experience in network protocols, graph theory, sensor networks, and security. He builds large scale threat detection systems, leads research projects, and provides expert advice on strategic directions. Dhia holds a PhD in Computer Science from Southern Methodist University with a specialty in graph theory applied on Wireless Sensor Networks. He has presented at conferences worldwide including APWG eCrime, Botconf, Black Hat, Defcon, Virus Bulletin, ShmooCon, Kaspersky SAS, Infosecurity Europe, BruCon,, FloCon, and RSA.

@conference {202502,
author = {Dhia Mahjoub},
title = {Behaviors and Patterns of Bulletproof and Anonymous Hosting Providers},
year = {2017},
address = {Oakland, CA},
publisher = {{USENIX} Association},