Too big to care: About the deteriorated abuse handling at some western IT giants

by Peter Müller, April 28, 2021, Updated May 7, 2021

Do you like what you are reading? Subscribe to our newsletter and don't miss out on the latest...   Join Now

Imagine you are in need of an ISP to host your 100,000 malware distribution sites. Which one would be your first choice? You operate a website for exchanging stolen credit card data, and need a reliable place for web and DNS services. Where do you go? A botnet operation of yours relies on reachable C&C servers, but even the dirtiest ISPs shut them down quickly. What to do?

Among the western cloud providers that fit the bill are Google, Microsoft and Cloudflare. Choose three.

Bulletproof ISPs: Dangerous, but easy to block

For years, some Russian and Chinese networks were commonly referred to as being the most dangerous parts of the internet. To a certain extent, this was (and is) right; both countries have an impressive history of hosting so-called bulletproof ISPs, which respond sloppily to complaints regarding malicious activities on their networks, if all. The Russian Business Network (RBN), operating out of Saint Petersburg, was probably the most infamous one.1 Among today's best-known bulletproof ISPs located in or linked to Russia are Media Land LLC and DDoS-Guard. Some places, though, never really made it into public knowledge, such as a complex of shady webhosting companies operating out of The Netherlands, providing services to miscreants for nearly 20 years.

While such ISPs certainly pose a threat to internet users, they usually scatter across a handful of IP networks and Autonomous Systems with little or no legitimate customers located there. As a result, it is rather easy to drop all network traffic from and - more importantly - to them, preventing users to reach malicious or questionable resources hosted there.

IPFire currently supports firewall rules based on IP addresses or networks, and locations. Building firewall rules based on Autonomous System is currently planned thanks to our location database, allowing more fine-grained network access control, especially if the networks of interest propagate many IP prefixes and/or are located in countries such as the United States, being too big to be blocked or allowed as such.

Hosting malicious content on hacked machines around the world - usually referred to as Fast Flux - is a more sophisticated approach to overcome IP-based blocking. Given it's technical nature, it requires access to compromised systems galore (sadly not a problem), often relies on bulletproof domain registrars not taking down the FQDNs used, and does not really offer bandwidth and latency guarantees, depending on the location of the hacked systems used this minute.

While attackers use Fast Flux techniques for high-risk content or infrastructure, (ab)using common western cloud services turns out to be both cheaper and more reliable. Why bother with all the complex technical stuff if you can achieve the same goals at legitimate ISPs for a fraction of the price?

The rise of "bulletproof" IT giants

Firewall rules tend to fail when it comes to malicious activity originating from big cloud providers or other heavily centralised IT players, such as major ESPs (email service providers). While processing Autonomous Systems makes it easier to permit access to one distinct cloud provider, but drop traffic to others located in the same area, they cannot protect against abuse within the AS or IP networks allowed.

This is precisely why the author is so disappointed about Google, Microsoft and Cloudflare: Blocking them is impossible in almost any circumstances - even dropping traffic to single IP addresses of them already causes huge collateral damage. Worse, they know they can get away with this attitude. Among the motivations behind this post is to raise pressure on such ISPs, striving for a internet being less dirty than the one we have to make do with today.

Using IPFire's web proxy in combination with some good and reliable domain-based blocklists2 is not a silver bullet either: While it helps to deny access to knowingly malicious domains hosted on legitimate infrastructure, it is of no use if the offending domain is something like firebasestorage.googleapis[.]com, being abused for hosting phishing sites for years.

Within the past few years, the picture of abuse on the internet has changed: While at least some ISPs in Russia and Eastern Europe improved significantly on detecting and terminating criminal customers, the situation at western cloud providers - especially the biggest ones - got even worse than it has been before.

Today, we are used to see 100,000 malware distribution sites hosted at Google, Microsoft Azure being abused for hosting C&C servers, open (!) redirection services of Google being used in phishing campaigns, Microsoft failing to drain the swamp of hijacked subdomains under *.microsoft.com and *.msn.com, Cloudflare hosting numerous "carding" sites - this list literally goes on for pages, ad nausem.

Among the The World's Worst Spam Support ISPs, Google currently ranks second, Microsoft is on #4 and Cloudflare on #6. Combined, they outrank the leader of this list, the Guangdong province division of Chinanet, by about 60 percent. While the internet community will certainly and rightly blame the latter for being a safe harbour to miscreants, similar accusations against western IT companies are rarely made at the same intensity.

A handful of IT companies can shape policies - for better or for worse

Regrettably, the future looks grim. As the internet becomes more and more centralised, today's IT giants will probably get even bigger, becoming even more "too big to fail" - or "too big to care" in terms of abuse handling.

We saw these actors enforcing good policies, such as HTTPS becoming the de-facto standard for today's web-based internet. Efforts against spoofed e-mails would not be possible at this extend if it wasn't for companies like Yahoo or PayPal having a huge problem with phishing mails targeting their customers. If big providers adopt security mechanisms, we have a large amount of users being protected very quickly - perhaps without even noticing.

On the other hand, the internet community keeps forgetting that those are in for profit after all. When it comes to privacy, we slowly realise how dangerous some ambitions of today's global IT players are - we do not seem to have fully noticed the danger caused by poor abuse handling of these actors as well. With it's cloud division making huge operational losses, Google certainly won't hire more personnel for their anti-abuse desk unless forced to do so. Sendgrid, to mention an ESP for once, fails to mitigate spam and phishing relayed through them due to hacked customers, but is too big to be blocked entirely. In his dayjob and while operating IPFire's mail systems, the author continues to observe a decent amount of junk mail traffic emitted by Google's mail infrastructure.

The mourner of this is the everyday internet user, and protecting them against malicious threats out of legitimate infrastructures is hard, costly, time-consuming and ultimately impossible.

We should force western IT giants to handle abuse seriously. Or we should at least stop applying double standards to smaller ISPs or providers in countries we do not like.

  1. Disappeared from the internet as such in 2008, it is unclear whether the actors behind RBN have ever ceased to operate malicious infrastructure. 

  2. Supporting DNS-based blackhole lists (DNSBLs) for IPFire's web proxy is planned as well, to enable using more precise and faster updated blocklist sources. However, unless the DNSBL infrastructure is located within the same organisation or network, this impacts both performance and privacy, as every FQDN accessed results in a DNS query emitted to the internet.