OPSEC / Anonymity Security in CloudFlare
- Thread starter 1R0N
- Start date
A small Russian company DDoS-Guard in January 2021 provided its infrastructure to the American social network Parler. Before that, Amazon refused to host Parler, and Apple and Google removed it from their app stores - as right-wing activists used the social network to "encourage and incite violence", as well as organize an attack on the Capitol. DDoS-Guard has had a less-than-perfect reputation in the past: its services were used by the anonymous conspiracy forum 8kun and the site of the Islamist movement Hamas — although the creators of DDoS-Guard have repeatedly stated that they do not consider this a problem and work with any clients that act within the law . As Meduza found out, this is not entirely true: DDoS-Guard was suspected of providing hosting to scammers who steal banking data, and on the infrastructure associated with DDoS-Guard, operates one of the largest online drug stores. However, all this does not prevent DDoS-Guard from cooperating with the Russian Ministry of Defense and the Central Bank.
Dmitry Sabitov
Ukrainian Roots
In July 2014, a few months after the annexation of Crimea to Russia, two natives of Ukraine - Evgeny Marchenko and Dmitry Sabitov - registered in Sevastopol the Russian DDoS-Guard LLC, operating under the DDoS-Guard brand.
The company with the same name and the same owners has been operating in Ukraine since 2011, two of its former employees told Meduza; in the same year, the site ddos-guard.net was registered. The press service of DDoS-Guard did not answer the question of whether the company operated in Sevastopol until 2014, saying only that “in 2011, the development of software began, which later became a full-fledged service”; in which country this development began is not indicated in the answer. “The main base of the company has always been Rostov-on-Don,” the press service says.
As Meduza found out, registering in Russian jurisdiction and moving to Russia — the company’s office opened in Rostov-on-Don only in 2015 — could be caused by problems that began even before the Crimean events. In the spring of 2013, the Security Service of Ukraine (SBU), together with the local cyber police, conducted an investigation, within which it arranged investigative actions in the Sevastopol office of DDoS-Guard. Meduza was told about this by the CEO of an IT company in this area and a former employee of DDoS-Guard: according to both, the Ukrainian security forces suspected the structures of Marchenko and Sabitov of hosting one of the oldest Russian-language forums for scammers with bank cards (carders) - Verified.
“We have no information about such actions of the services of foreign states,” the DDos-Guard press service responded to a request for comment on this information. The SBU and cyber police did not respond to Meduza's requests.
Verified is one of the oldest Russian-language forums for online scammers of all stripes to communicate, wrote American cybersecurity specialist Brian Krebs in 2011. The cost of registering on the forum was $50, it was positioned as "a textbook for carders and a place to communicate, search for information and people needed for shadow work."
“Verified was indeed a DDoS-Guard client, but at that time they had a lot of stuff hanging on the network. The company is small, there was no particular choice of clients,” a former DDoS-Guard employee told Meduza. — In addition, it was common for resources from the darknet and the like to DDoS competitors, so the demand for anti-DDoS among them was huge, while the “white business” did this much less often. Few people also want to host such sites, so the price of hosting can be broken for them more.”
Upon learning that the SBU was interested in them because of Verified, Marchenko and Co. hastily began to “cut off their tails,” Meduza’s source tells: “As far as I heard, information about Verified by the SBU was handed over by US law enforcement agencies — yes, because it has been there for centuries there are Russian carders hanging around terrorizing Western banks” (“Medusa” was unable to confirm with the help of third-party sources that such information was transferred to Ukraine from the United States).
According to IP History data from the ViewDNS service, the verified.ms domain, on which the forum for carders of the same name functioned for a long time, resolved in April 2013 to IP 186.2.175.18 - and DDoS-Guard has been the owner of this IP since December 2012. The database of the Internet registrar LACNIC indicates that this IP address belongs to DDoS-GUARD Ecuador, and the contact number is a phone number belonging to DDoS-Guard CEO Evgeny Marchenko (a Meduza journalist was able to contact him using this number, but Marchenko refused to talk, offering to direct all questions to the press service of the company). In other words, this data makes it very likely that DDos-Guard provided its infrastructure to the Verified forum.
How big is this probability? According to the former co-owner of the hosting provider Diphost, Philip Kulin, in this case, a set of factors allows us to talk about a probability close to 100%, even though almost any technical information on the Internet, except for SSL certificates, is not strictly verified.
“According to LACNIC, the block of these IPs currently belongs to DDoS-Guard, so it can be argued that a similar entry in the registry of those years is also not a miraculous coincidence. In addition to routing information, registry entries contain contacts for technical questions or complaints - and the mobile phone of the DDoS-Guard co-owner is unlikely to be a match in them, Kulin explains. - I consider it almost impossible that such a bright client as Verified, quietly and imperceptibly, as if accidentally used someone's IP for at least some noticeable time, and their owner would not be aware of this. As a result, all this data allows us to assert with a 99.9% probability that Verified was indeed a DDoS-Guard client in one form or another.”
The press service of DDoS-Guard does not claim that this could not have happened, the company's position looks different. “Our job is to secure websites, not to fill them with content. All questions about the content of sites belong to their owners. The provider is not obliged to monitor and be responsible for the content posted by its customers - the Internet is built on this principle, ”the Meduza press service said in a response. In addition, the client could provide false documents or change the content of the site over time, the company adds: "Changes like this are impossible to track, especially when you have hundreds of thousands of customers."
Moving to Russia
Even before the registration of the Russian legal entity, in January 2014, DDoS-Guard became a partner of the large domain registrar Reg.ru, a former employee of the company told Meduza: “Marchenko had a Russian passport — although he was born in Kyiv, he lived in Rostov -on-Don and graduated from a university there, so the DDoS-Guard office was later moved there. And Sabitov from Sevastopol received Russian citizenship after the annexation of Crimea.”
In Russia, DDoS-Guard now has status clients from government agencies. In January 2016, the company signed a contract with the Ministry of Defense of the Russian Federation for the provision of services to protect against DDoS attacks, and in 2018 participated in testing DPI systems under the law on "sovereign Runet", which was conducted by Roskomnadzor.
The CEO of a large IT company told Meduza that the Central Bank is also among DDoS-Guard clients. AS 8904, owned by the Central Bank, has AS57724 DDoS-Guard listed as one of the three providers. Mikhail Klimarev, Executive Director of the Internet Protection Society, confirmed to Meduza that, based on this network organization scheme, the Central Bank is indeed a client of DDoS-Guard.
Protecting the Central Bank, DDoS-Guard continued to provide services to some forums for bank card scammers and hackers. The sites darkode.su, hacker-pro.net, crimeprint.com and validcc.name were located on DDoS-Guard IP addresses in 2015-2020, the CEO of a large IT company said; this is confirmed by the ViewDNS data. The Verified forum, which moved to the verified.vc domain, also continued to work on DDoS-Guard IP addresses for some time.
Meduza asked Leonid Evdokimov, a technical consultant at Roskomsvoboda, to confirm or refute these conclusions. “The assumption that the web pages of these domains are served by DDoS-Guard cannot be refuted by me. IP addresses from the archive of DNS records were assigned by DDoS-Guard, from other autonomous systems, according to the RIPEstat archive, these addresses were not announced, and web pages, according to the Internet Archive, were available,” Evdokimov replied.
Theoretically, DDoS-Guard could sublease its IP addresses, and then the company is not related to the hosting of the listed resources, “but it was not possible to find evidence to confirm this version of the facts,” Evdokimov added. He also doubts that some attackers can use the company's IP addresses without the knowledge of DDoS-Guard: -resource".
Protests in Hong Kong
In the summer of 2019, Hong Kong was engulfed in multimillion-dollar demonstrations provoked by an attempt by the Chinese authorities to oblige the city to extradite violators of Chinese laws to China. Until 2047, when Chinese law is to be fully applied to the city-state, it is theoretically entitled to broad autonomy.
Protesters clashed with authorities for months, with both sides acting harshly: police fired tear gas, rubber bullets, and carried out mass arrests; protesters seized the city parliament, rioted at universities, blocked public transport and set police vehicles on fire.
A couple of months after the start of the protests, sites under the general name HKLeaks appeared on the Internet - on them, unknown people began to massively publish the personal data of protesters in Hong Kong: names, home addresses, social media profiles and phone numbers, as well as a description of their alleged crimes during the actions. Harassment began: for example, Hong Kong activist Carol Nge said that after the appearance of her data on HKLeaks, she began to receive threatening calls from strangers and messages in which she was called a "cockroach".
Hong Kong Privacy Commissioner Stephen Wong asked the police to stop these sites in 2019, but some of them are still working, Meduza found out. At the same time, during the protests, HKLeaks websites were actively advertised on resources associated with the Chinese Communist Party, according to many media publications.
Some domains of the HKLeaks project (namely, hkleaks.ru, hkleaks.pk, hkleaks.pw, hkleaks.cc, hkleaks.kg and hkleaks.kz) were hosted by DDoS-Guard, said an employee of an international IT company living in Southeast Asia. The IP History for these domains indicates that they were indeed on IP addresses owned by DDoS-Guard.
Moreover, in its official Twitter account, DDoS-Guard confirmed that it provides services to the HKLeaks project. “Despite the fact that we are constantly dragged into the history of the protests in Hong Kong, we remain out of politics. We receive thousands of messages saying that our client HKLeaks is violating the law, but there is no legal evidence of this (presumption of innocence, remember that one?)”, - this is a quote from the official DDoS-Guard twitter, the post was released in October 2019.
“HKLeaks content was aimed at solving political problems in Hong Kong for the Chinese authorities, so supporting it and claiming that the company remains out of politics is completely illogical,” says an employee of an international IT company based in Southeast Asia. - If DDoS-Guard, on the contrary, hosted the content of the protesters, the situation would be similar, in China they would simply be accused of violating the law on the prohibition of propaganda of separatism. Therefore, if the company is truly out of politics, the best strategy is not to get involved in a conflict on either side.”
Persecuted Parler
DDoS-Guard gained worldwide fame in January 2021, when it started providing services to the disgraced American social network Parler.
Parler was very popular among supporters of former US President Donald Trump - it was on this platform that they, in particular, discussed the impending attack on the Capitol, which took place on January 6th. After these riots, Amazon stopped hosting Parler, and Apple and Google removed the app from their stores. Ultimately, the social network went offline.
By disconnecting Parler from the Internet, technology companies are trying to “suppress incitement to violence,” Forbes noted. Parler CEO John Matze responded by blaming the tech giants for a coordinated assault on free speech and an attempt to destroy competition in the free market.
A few days later, Parler began to use the DDoS-Guard infrastructure for work. The Russian company refuses to disclose exactly what services it provides to social networks, citing confidentiality (and, probably, in view of Parler's previous problems). However, secrecy did not help much, and DDoS-Guard itself was under attack - its American partner, Coresite, deprived the company of access to its data center, although the formal reason for this was not cooperation with Parler.
In the United States, DDoS-Guard has long had a controversial reputation: cybersecurity specialist Brian Krebs wrote that the company provided services to the site of the Islamist movement Hamas, which is recognized as a terrorist movement in the United States and many other countries (but not in Russia). And at the end of 2020, it became known that the scandalous 8kun imageboard, formerly known as 8chan, became a DDoS-Guard client — both child pornography and terrorist manifestos appeared on it at different times, and recently the QAnon conspiracy theory about “Satanists” has been actively discussed. -pedophiles" in the US ruling circles.
True, the DDoS-Guard claimed that at the time of the conclusion of the contracts they were not aware of who exactly they were providing services to, and turned off the Hamas and 8chan websites as soon as they learned about the content of the content posted on them. DDoS-Guard CEO Yevgeny Marchenko, in a conversation with The Guardian, once again said that "the company does not support any illegal activity" and "is not associated with any political movements."
The company policy document posted on the official website of DDoS-Guard states that its customers should use DDoS-Guard services only for lawful purposes. It also lists illegal ones - among them drug trafficking, gambling, piracy, as well as "sending messages that have the intention of threatening or persecuting a person."
But Meduza was convinced that the hkleaks.pk website, which is used to intimidate protesters in Hong Kong, as well as resources with content that the company itself has declared illegal, is still running on DDoS-Guard IP addresses.
In particular, at the IP address 185.178.211.2, registered to the Cognitive Cloud company, there is now the site d****anonstore.to, one of the oldest and largest drug dealing online stores that has existed since 2012. According to the British registry of companies, Cognitive Cloud was registered by Evgeny Marchenko and Alexey Likhachev, director of information security at DDoS-Guard. Marchenko confirmed that Cognitive Cloud is one of his structures and was registered in Scotland, since "the UK is very comfortable for doing business."
“Thank you for letting us know about this domain,” a spokesman for DDos-Guard told Meduza, adding that the company opposes any illegal content and use of its services, and will check it out.
However, cybersecurity specialist Brian Krebs also noted that his study of several thousand sites hosted by DDoS-Guard showed that among them "a huge number of phishing sites and domains that provide services and forums for cybercriminals."
Problematic and questionable
It cannot be said that providing services to resources with illegal and controversial content is a rare practice among companies operating in the hosting and DDoS protection market. For example, in 2011, one of the largest providers in this area, the American Cloudflare, protected the website of the LulzSec hacker group, which hacked the Sony Pictures film studio, from DDoS attacks. After the publication of this information, the head of Cloudflare, Matthew Prince, justified himself by saying that if this site is not maintained, it still will not disappear forever from the Internet.
“At Cloudflare, we firmly believe that our role is not to censor the internet… We respect the laws of the jurisdictions in which we operate, but we do not feel it is our job to determine what content can and cannot be posted. It's a slippery slope we won't tread on," Prince wrote. True, over time, the company's position has changed slightly: for example, in 2019 Cloudflare publicly severed relations with the 8chan imageboard, calling it a "cesspool of hatred."
“Cloudflare does provide services to many dubious resources. On the one hand, they have so many clients that they may not even know who is working on their network. On the other hand, they clearly do not seek to find out; the company's position is that decisions are made after the fact, after receiving all sorts of complaints and requests from law enforcement agencies,” says Karen Kazaryan, CEO of the Internet Research Institute, in a conversation with Meduza.
The question of whether infrastructure providers should censor the Internet is “philosophical” and is up to each company to decide, says Kazarian: “Some, like Cloudflare, feel they shouldn’t understand what content their customers post, it’s not theirs.” case, and law enforcement agencies. On the other hand, many respected European and American providers really refuse to host resources with illegal and controversial content, so as not to spoil their reputation. That is why hosting such sites is quite a profitable story from a business point of view, because it is paid more because of the associated risks.”
“Our services can be automatically connected to each Internet user. Our goal is to provide clients with security services for their resources,” the DDos-Guard press service responded to Meduza’s request to comment on the provision of services to fraudsters and drug dealers. - We are not responsible for what people and organizations post on their sites - just like an Internet provider is not responsible for the content that its customers view after work on connecting the Internet, as well as for the actions of the users themselves, who are done online.
There is no need to shift law enforcement tasks to hosting providers, because there are no clear criteria for the good faith of customers, adds Philip Kulin, former co-owner of the Diphost hosting provider: provide services to him? Unclear".
However, Kulin believes that DDoS-Guard and personally Yevgeny Marchenko are cunning when they pretend that they do not work with resources containing illegal content. “When you get a client like Verified or D****anonstore, its competitors immediately come to you and start to arrange DDoS attacks, special services come, various compassionate people send messages: “Do you know that you have them work?” When we hosted a similar resource on our network, people even came to our office and said: “Remove this infection from your network, we know that it is hosted by you.” Toxic sites cannot be hosted without knowing about it, and without having specific problems for it, ”says Kulin. With "specific problems," the company will always require a lot of money that can pay for them, he adds.
“Everyone knows perfectly well that DDoS-Guard hosts a lot of incomprehensible and sometimes illegal resources, and they themselves know about it first of all, they probably have awesome problems because of this, and as a result - awesome money, because for the usual price tag you will not host such problematic clients, ”Kulin sums up.
According to Karen Kazarian, Parler - given the size of this site and the number of users - probably paid Amazon about a million dollars a year for hosting and related services, "and is unlikely to pay DDoS-Guard much less, given the current situation."
“For even more toxic clients and various illegal services, the price for each service usually increases at least twice compared to standard rates. In addition, the final price strongly depends on the size of the resource and the number of users. Also, do not forget that sites usually take a package of services right away: hosting, DDoS protection, and so on, and when the price for each of them increases at least twice, the result is a big price tag,” says Kazaryan.
The cost of services for such clients is the subject of individual agreements: the price tag can be five or 50 times higher than in the case of similar services for a standard client, adds Philip Kulin: “In 2009-2014, one client from a similar category paid me for hosting and anti-DDoS one thousand rubles a month instead of the standard 250 rubles, and another - 10 thousand. And with Verified and the like, the scale of toxicity and DDoS attacks against them is completely different.”
Dmitry Sabitov
Ukrainian Roots
In July 2014, a few months after the annexation of Crimea to Russia, two natives of Ukraine - Evgeny Marchenko and Dmitry Sabitov - registered in Sevastopol the Russian DDoS-Guard LLC, operating under the DDoS-Guard brand.
The company with the same name and the same owners has been operating in Ukraine since 2011, two of its former employees told Meduza; in the same year, the site ddos-guard.net was registered. The press service of DDoS-Guard did not answer the question of whether the company operated in Sevastopol until 2014, saying only that “in 2011, the development of software began, which later became a full-fledged service”; in which country this development began is not indicated in the answer. “The main base of the company has always been Rostov-on-Don,” the press service says.
As Meduza found out, registering in Russian jurisdiction and moving to Russia — the company’s office opened in Rostov-on-Don only in 2015 — could be caused by problems that began even before the Crimean events. In the spring of 2013, the Security Service of Ukraine (SBU), together with the local cyber police, conducted an investigation, within which it arranged investigative actions in the Sevastopol office of DDoS-Guard. Meduza was told about this by the CEO of an IT company in this area and a former employee of DDoS-Guard: according to both, the Ukrainian security forces suspected the structures of Marchenko and Sabitov of hosting one of the oldest Russian-language forums for scammers with bank cards (carders) - Verified.
“We have no information about such actions of the services of foreign states,” the DDos-Guard press service responded to a request for comment on this information. The SBU and cyber police did not respond to Meduza's requests.
Verified is one of the oldest Russian-language forums for online scammers of all stripes to communicate, wrote American cybersecurity specialist Brian Krebs in 2011. The cost of registering on the forum was $50, it was positioned as "a textbook for carders and a place to communicate, search for information and people needed for shadow work."
“Verified was indeed a DDoS-Guard client, but at that time they had a lot of stuff hanging on the network. The company is small, there was no particular choice of clients,” a former DDoS-Guard employee told Meduza. — In addition, it was common for resources from the darknet and the like to DDoS competitors, so the demand for anti-DDoS among them was huge, while the “white business” did this much less often. Few people also want to host such sites, so the price of hosting can be broken for them more.”
Upon learning that the SBU was interested in them because of Verified, Marchenko and Co. hastily began to “cut off their tails,” Meduza’s source tells: “As far as I heard, information about Verified by the SBU was handed over by US law enforcement agencies — yes, because it has been there for centuries there are Russian carders hanging around terrorizing Western banks” (“Medusa” was unable to confirm with the help of third-party sources that such information was transferred to Ukraine from the United States).
According to IP History data from the ViewDNS service, the verified.ms domain, on which the forum for carders of the same name functioned for a long time, resolved in April 2013 to IP 186.2.175.18 - and DDoS-Guard has been the owner of this IP since December 2012. The database of the Internet registrar LACNIC indicates that this IP address belongs to DDoS-GUARD Ecuador, and the contact number is a phone number belonging to DDoS-Guard CEO Evgeny Marchenko (a Meduza journalist was able to contact him using this number, but Marchenko refused to talk, offering to direct all questions to the press service of the company). In other words, this data makes it very likely that DDos-Guard provided its infrastructure to the Verified forum.
How big is this probability? According to the former co-owner of the hosting provider Diphost, Philip Kulin, in this case, a set of factors allows us to talk about a probability close to 100%, even though almost any technical information on the Internet, except for SSL certificates, is not strictly verified.
“According to LACNIC, the block of these IPs currently belongs to DDoS-Guard, so it can be argued that a similar entry in the registry of those years is also not a miraculous coincidence. In addition to routing information, registry entries contain contacts for technical questions or complaints - and the mobile phone of the DDoS-Guard co-owner is unlikely to be a match in them, Kulin explains. - I consider it almost impossible that such a bright client as Verified, quietly and imperceptibly, as if accidentally used someone's IP for at least some noticeable time, and their owner would not be aware of this. As a result, all this data allows us to assert with a 99.9% probability that Verified was indeed a DDoS-Guard client in one form or another.”
The press service of DDoS-Guard does not claim that this could not have happened, the company's position looks different. “Our job is to secure websites, not to fill them with content. All questions about the content of sites belong to their owners. The provider is not obliged to monitor and be responsible for the content posted by its customers - the Internet is built on this principle, ”the Meduza press service said in a response. In addition, the client could provide false documents or change the content of the site over time, the company adds: "Changes like this are impossible to track, especially when you have hundreds of thousands of customers."
Moving to Russia
Even before the registration of the Russian legal entity, in January 2014, DDoS-Guard became a partner of the large domain registrar Reg.ru, a former employee of the company told Meduza: “Marchenko had a Russian passport — although he was born in Kyiv, he lived in Rostov -on-Don and graduated from a university there, so the DDoS-Guard office was later moved there. And Sabitov from Sevastopol received Russian citizenship after the annexation of Crimea.”
In Russia, DDoS-Guard now has status clients from government agencies. In January 2016, the company signed a contract with the Ministry of Defense of the Russian Federation for the provision of services to protect against DDoS attacks, and in 2018 participated in testing DPI systems under the law on "sovereign Runet", which was conducted by Roskomnadzor.
The CEO of a large IT company told Meduza that the Central Bank is also among DDoS-Guard clients. AS 8904, owned by the Central Bank, has AS57724 DDoS-Guard listed as one of the three providers. Mikhail Klimarev, Executive Director of the Internet Protection Society, confirmed to Meduza that, based on this network organization scheme, the Central Bank is indeed a client of DDoS-Guard.
Protecting the Central Bank, DDoS-Guard continued to provide services to some forums for bank card scammers and hackers. The sites darkode.su, hacker-pro.net, crimeprint.com and validcc.name were located on DDoS-Guard IP addresses in 2015-2020, the CEO of a large IT company said; this is confirmed by the ViewDNS data. The Verified forum, which moved to the verified.vc domain, also continued to work on DDoS-Guard IP addresses for some time.
Meduza asked Leonid Evdokimov, a technical consultant at Roskomsvoboda, to confirm or refute these conclusions. “The assumption that the web pages of these domains are served by DDoS-Guard cannot be refuted by me. IP addresses from the archive of DNS records were assigned by DDoS-Guard, from other autonomous systems, according to the RIPEstat archive, these addresses were not announced, and web pages, according to the Internet Archive, were available,” Evdokimov replied.
Theoretically, DDoS-Guard could sublease its IP addresses, and then the company is not related to the hosting of the listed resources, “but it was not possible to find evidence to confirm this version of the facts,” Evdokimov added. He also doubts that some attackers can use the company's IP addresses without the knowledge of DDoS-Guard: -resource".
Protests in Hong Kong
In the summer of 2019, Hong Kong was engulfed in multimillion-dollar demonstrations provoked by an attempt by the Chinese authorities to oblige the city to extradite violators of Chinese laws to China. Until 2047, when Chinese law is to be fully applied to the city-state, it is theoretically entitled to broad autonomy.
Protesters clashed with authorities for months, with both sides acting harshly: police fired tear gas, rubber bullets, and carried out mass arrests; protesters seized the city parliament, rioted at universities, blocked public transport and set police vehicles on fire.
A couple of months after the start of the protests, sites under the general name HKLeaks appeared on the Internet - on them, unknown people began to massively publish the personal data of protesters in Hong Kong: names, home addresses, social media profiles and phone numbers, as well as a description of their alleged crimes during the actions. Harassment began: for example, Hong Kong activist Carol Nge said that after the appearance of her data on HKLeaks, she began to receive threatening calls from strangers and messages in which she was called a "cockroach".
Hong Kong Privacy Commissioner Stephen Wong asked the police to stop these sites in 2019, but some of them are still working, Meduza found out. At the same time, during the protests, HKLeaks websites were actively advertised on resources associated with the Chinese Communist Party, according to many media publications.
Some domains of the HKLeaks project (namely, hkleaks.ru, hkleaks.pk, hkleaks.pw, hkleaks.cc, hkleaks.kg and hkleaks.kz) were hosted by DDoS-Guard, said an employee of an international IT company living in Southeast Asia. The IP History for these domains indicates that they were indeed on IP addresses owned by DDoS-Guard.
Moreover, in its official Twitter account, DDoS-Guard confirmed that it provides services to the HKLeaks project. “Despite the fact that we are constantly dragged into the history of the protests in Hong Kong, we remain out of politics. We receive thousands of messages saying that our client HKLeaks is violating the law, but there is no legal evidence of this (presumption of innocence, remember that one?)”, - this is a quote from the official DDoS-Guard twitter, the post was released in October 2019.
“HKLeaks content was aimed at solving political problems in Hong Kong for the Chinese authorities, so supporting it and claiming that the company remains out of politics is completely illogical,” says an employee of an international IT company based in Southeast Asia. - If DDoS-Guard, on the contrary, hosted the content of the protesters, the situation would be similar, in China they would simply be accused of violating the law on the prohibition of propaganda of separatism. Therefore, if the company is truly out of politics, the best strategy is not to get involved in a conflict on either side.”
Persecuted Parler
DDoS-Guard gained worldwide fame in January 2021, when it started providing services to the disgraced American social network Parler.
Parler was very popular among supporters of former US President Donald Trump - it was on this platform that they, in particular, discussed the impending attack on the Capitol, which took place on January 6th. After these riots, Amazon stopped hosting Parler, and Apple and Google removed the app from their stores. Ultimately, the social network went offline.
By disconnecting Parler from the Internet, technology companies are trying to “suppress incitement to violence,” Forbes noted. Parler CEO John Matze responded by blaming the tech giants for a coordinated assault on free speech and an attempt to destroy competition in the free market.
A few days later, Parler began to use the DDoS-Guard infrastructure for work. The Russian company refuses to disclose exactly what services it provides to social networks, citing confidentiality (and, probably, in view of Parler's previous problems). However, secrecy did not help much, and DDoS-Guard itself was under attack - its American partner, Coresite, deprived the company of access to its data center, although the formal reason for this was not cooperation with Parler.
In the United States, DDoS-Guard has long had a controversial reputation: cybersecurity specialist Brian Krebs wrote that the company provided services to the site of the Islamist movement Hamas, which is recognized as a terrorist movement in the United States and many other countries (but not in Russia). And at the end of 2020, it became known that the scandalous 8kun imageboard, formerly known as 8chan, became a DDoS-Guard client — both child pornography and terrorist manifestos appeared on it at different times, and recently the QAnon conspiracy theory about “Satanists” has been actively discussed. -pedophiles" in the US ruling circles.
True, the DDoS-Guard claimed that at the time of the conclusion of the contracts they were not aware of who exactly they were providing services to, and turned off the Hamas and 8chan websites as soon as they learned about the content of the content posted on them. DDoS-Guard CEO Yevgeny Marchenko, in a conversation with The Guardian, once again said that "the company does not support any illegal activity" and "is not associated with any political movements."
The company policy document posted on the official website of DDoS-Guard states that its customers should use DDoS-Guard services only for lawful purposes. It also lists illegal ones - among them drug trafficking, gambling, piracy, as well as "sending messages that have the intention of threatening or persecuting a person."
But Meduza was convinced that the hkleaks.pk website, which is used to intimidate protesters in Hong Kong, as well as resources with content that the company itself has declared illegal, is still running on DDoS-Guard IP addresses.
In particular, at the IP address 185.178.211.2, registered to the Cognitive Cloud company, there is now the site d****anonstore.to, one of the oldest and largest drug dealing online stores that has existed since 2012. According to the British registry of companies, Cognitive Cloud was registered by Evgeny Marchenko and Alexey Likhachev, director of information security at DDoS-Guard. Marchenko confirmed that Cognitive Cloud is one of his structures and was registered in Scotland, since "the UK is very comfortable for doing business."
“Thank you for letting us know about this domain,” a spokesman for DDos-Guard told Meduza, adding that the company opposes any illegal content and use of its services, and will check it out.
However, cybersecurity specialist Brian Krebs also noted that his study of several thousand sites hosted by DDoS-Guard showed that among them "a huge number of phishing sites and domains that provide services and forums for cybercriminals."
Problematic and questionable
It cannot be said that providing services to resources with illegal and controversial content is a rare practice among companies operating in the hosting and DDoS protection market. For example, in 2011, one of the largest providers in this area, the American Cloudflare, protected the website of the LulzSec hacker group, which hacked the Sony Pictures film studio, from DDoS attacks. After the publication of this information, the head of Cloudflare, Matthew Prince, justified himself by saying that if this site is not maintained, it still will not disappear forever from the Internet.
“At Cloudflare, we firmly believe that our role is not to censor the internet… We respect the laws of the jurisdictions in which we operate, but we do not feel it is our job to determine what content can and cannot be posted. It's a slippery slope we won't tread on," Prince wrote. True, over time, the company's position has changed slightly: for example, in 2019 Cloudflare publicly severed relations with the 8chan imageboard, calling it a "cesspool of hatred."
“Cloudflare does provide services to many dubious resources. On the one hand, they have so many clients that they may not even know who is working on their network. On the other hand, they clearly do not seek to find out; the company's position is that decisions are made after the fact, after receiving all sorts of complaints and requests from law enforcement agencies,” says Karen Kazaryan, CEO of the Internet Research Institute, in a conversation with Meduza.
The question of whether infrastructure providers should censor the Internet is “philosophical” and is up to each company to decide, says Kazarian: “Some, like Cloudflare, feel they shouldn’t understand what content their customers post, it’s not theirs.” case, and law enforcement agencies. On the other hand, many respected European and American providers really refuse to host resources with illegal and controversial content, so as not to spoil their reputation. That is why hosting such sites is quite a profitable story from a business point of view, because it is paid more because of the associated risks.”
“Our services can be automatically connected to each Internet user. Our goal is to provide clients with security services for their resources,” the DDos-Guard press service responded to Meduza’s request to comment on the provision of services to fraudsters and drug dealers. - We are not responsible for what people and organizations post on their sites - just like an Internet provider is not responsible for the content that its customers view after work on connecting the Internet, as well as for the actions of the users themselves, who are done online.
There is no need to shift law enforcement tasks to hosting providers, because there are no clear criteria for the good faith of customers, adds Philip Kulin, former co-owner of the Diphost hosting provider: provide services to him? Unclear".
However, Kulin believes that DDoS-Guard and personally Yevgeny Marchenko are cunning when they pretend that they do not work with resources containing illegal content. “When you get a client like Verified or D****anonstore, its competitors immediately come to you and start to arrange DDoS attacks, special services come, various compassionate people send messages: “Do you know that you have them work?” When we hosted a similar resource on our network, people even came to our office and said: “Remove this infection from your network, we know that it is hosted by you.” Toxic sites cannot be hosted without knowing about it, and without having specific problems for it, ”says Kulin. With "specific problems," the company will always require a lot of money that can pay for them, he adds.
“Everyone knows perfectly well that DDoS-Guard hosts a lot of incomprehensible and sometimes illegal resources, and they themselves know about it first of all, they probably have awesome problems because of this, and as a result - awesome money, because for the usual price tag you will not host such problematic clients, ”Kulin sums up.
According to Karen Kazarian, Parler - given the size of this site and the number of users - probably paid Amazon about a million dollars a year for hosting and related services, "and is unlikely to pay DDoS-Guard much less, given the current situation."
“For even more toxic clients and various illegal services, the price for each service usually increases at least twice compared to standard rates. In addition, the final price strongly depends on the size of the resource and the number of users. Also, do not forget that sites usually take a package of services right away: hosting, DDoS protection, and so on, and when the price for each of them increases at least twice, the result is a big price tag,” says Kazaryan.
The cost of services for such clients is the subject of individual agreements: the price tag can be five or 50 times higher than in the case of similar services for a standard client, adds Philip Kulin: “In 2009-2014, one client from a similar category paid me for hosting and anti-DDoS one thousand rubles a month instead of the standard 250 rubles, and another - 10 thousand. And with Verified and the like, the scale of toxicity and DDoS attacks against them is completely different.”
ss