CyberBunker 2.0 -- A Domain and Traffic Perspective on a Bulletproof Hoster
This work addresses the problem of identifying malicious hosting services for cybersecurity researchers and practitioners, though it is incremental as it builds on existing BPH studies.
The study analyzed domains, web pages, and traffic from CyberBunker 2.0, a bulletproof hoster, to understand its traffic characteristics, finding that traditional BGP-based identification fails but domain and traffic features could aid future detection.
In September 2019, 600 armed German cops seized the physical premise of a Bulletproof Hoster (BPH) referred to as CyberBunker 2.0. The hoster resided in a decommissioned NATO bunker and advertised to host everything but child porn and anything related to terrorism while keeping servers online no matter what. While the anatomy, economics and interconnection-level characteristics of BPHs are studied, their traffic characteristics are unknown. In this poster, we present the first analysis of domains, web pages, and traffic captured at a major tier-1 ISP and a large IXP at the time when the CyberBunker was in operation. Our study sheds light on traffic characteristics of a BPH in operation. We show that a traditional BGP-based BPH identification approach cannot detect the CyberBunker, but find characteristics from a domain and traffic perspective that can add to future identification approaches.