CyberBunker 2.0 -- A Domain and Traffic Perspective on a Bulletproof Hoster

TL;DR

This paper analyzes the domain, web, and traffic characteristics of CyberBunker 2.0, a notorious Bulletproof Hoster, revealing insights that can improve detection methods beyond traditional BGP-based approaches.

Contribution

It provides the first traffic analysis of a BPH during operation, highlighting new domain and traffic features for better identification methods.

Findings

Traditional BGP-based detection fails for CyberBunker

Domain and traffic features can aid in identifying BPHs

Traffic characteristics of a BPH in active operation are characterized

Abstract

In September 2019, 600 armed German cops seized the physical premise of a Bulletproof Hoster (BPH) referred to as CyberBunker 2.0. The hoster resided in a decommissioned NATO bunker and advertised to host everything but child porn and anything related to terrorism while keeping servers online no matter what. While the anatomy, economics and interconnection-level characteristics of BPHs are studied, their traffic characteristics are unknown. In this poster, we present the first analysis of domains, web pages, and traffic captured at a major tier-1 ISP and a large IXP at the time when the CyberBunker was in operation. Our study sheds light on traffic characteristics of a BPH in operation. We show that a traditional BGP-based BPH identification approach cannot detect the CyberBunker, but find characteristics from a domain and traffic perspective that can add to future identification approaches.