The Internet is a big, big place and will only increase once IPv6 is more widely adopted. Living amongst the backbone routing, networked refrigerators and live drone feeds exists a just as critical set of services, hosting providers. The term itself is a bit misleading as it doesn't just pertain to website providers like GoDaddy or 1&1 or Google, but also encompasses additional services like content delivery networks (CDNs) and virtual private servers (VPSs). It's not always easy to identify these sorts of services and thus it's important to understand how they could manifest themselves when performing threat infrastructure analysis.
In order to read this blog, it has to be hosted some where. Web hosting providers are literally everywhere on the Internet, but most of the popular ones tend to also double as registrars, so you can not only get the domain you want, you can also put something there. What makes these providers a problem when performing analysis lies in the defaults.
Lets say you register a new website and decide you aren't quite ready to put it to use. In cases like this, the registrar will often associate a "parking page" with the domain, so that when someone visits the site, they know it's been registered and where they could go to register their own domain. Parking pages are often hosted on a set of IP addresses and will almost never have any direct relation to the future websites content.
When performing analysis, a good way to identify a parking page is to keep an eye out for subnets that associate with major web hosting providers or registrars like GoDaddy or 1&1. Additionally, these IP addresses will often share thousands of registered domains at various points in time for several years. Looking at WHOIS data on the records may reveal the same registrar or provider for all the domains which could aid in a final decision.
Another default setting some web hosts will put in place is the automatic creation of common subdomains. These values could include items like "www", "mail", "ftp" and so on. Depending on the provider, these subdomains may route to other hosted services, or could also be directed to a parking page. Despite their potentially automated creation, it's still useful to investigate these values as they will sometimes contain actor-controlled infrastructure if settings were misconfigured.
Content Delivery Networks (CDN)
Ever wonder how large web services render quickly or stay online despite serving millions of users? It's quite possible they may get some help from content delivery networks. Providers like Fastly, Cloudflare and Akamai are able to sit in front of the destination application and provider capabilities like cacheing, load balancing and session management.
While these services provide amazing value to their customers, they obfuscate the true backend destination of the webserver. Attempting to resolve a domain that's being served with a CDN will only yield the CDN's infrastructure. In order to scale, these providers may place several domains on the same set of IP addresses or constantly rotate values.
As an analyst, the best way to identify a CDN is to pay close attention to the activity of the resolutions. Is the domain constantly routing back and forth on IP addresses as part of the same subnet? Is this happening on a hourly or daily basis? Other clues could include details like the autonomous system name which we automatically derive as a global tag on all IP addresses.
Virtual Private Servers (VPS)
If servers didn't exist, surfing the web would be pretty boring. When it comes to hosting, there are a number of ways to get your content on the web and one of the cheaper, preferred solutions is to use a virtual private server. Many providers exist and depending on the server specifications, you can obtain a machine for as little as $5 a month and have content published on the web in as little as 10 minutes.
Given the easy nature of deploying a VPS, it shouldn't be a surprise that some users may use a VPS just for their limited needs before deleting it and taking it offline. In fact, companies like Amazon and Google have capitalized on the idea and allow users to bid/rent computing resources on their hardware for individual tasks or short-running jobs.
From an infrastructure stand-point, it's important to keep the potential short-lived nature of a VPS in mind. Once a machine has been deallocated, it's IP address is placed back in a pool of free resources. This means that an attacker could setup a VPS, run it for several weeks to perform attacks and then decommission it only for it to later be assigned to a legitimate website.
Paying close attention to timeframes and rapid changes are important when looking at VPS infrastructure. Using the PassiveTotal heatmap, it's possible to quickly ascertain if a lot of new unique items are being associated with a particular IP address. Similar to CDNs, the AS name may also provide some hints or clues as to who the subnet has been allocated to.
If You See Something, Flag Something
Identifying providers when doing infrastructure analysis is no easy feat; it takes practice and a bit of digging in order to validate your conclusions. PassiveTotal recognizes these challenges and provides a few mechanisms inside the platform to help address them.
As you are performing analysis and identify a specific provider, consider tagging it or classifying them with their associated label. For example, it's unlikely a CDN IP address will be compromised directly, so classifying it as benign could be helpful. When you pivot in the future, PassiveTotal will automatically include your specific tags on entries and also color-code rows based on the classification set. While it seems trivial, these simple tools serve as a vital way of building a knowledge base that often goes untracked.