Resident evil: Understanding residential IP proxy as a dark service

Xianghang Mi; Xuan Feng; Xiaojing Liao; Baojun Liu; Xiaofeng Wang; Feng Qian; Zhou Li; Sumayah Alrwais; Limin Sun; Ying Liu

doi:10.1109/SP.2019.00011

Resident evil: Understanding residential IP proxy as a dark service

Xianghang Mi, Xuan Feng, Xiaojing Liao, Baojun Liu, Xiaofeng Wang, Feng Qian, Zhou Li, Sumayah Alrwais, Limin Sun, Ying Liu

Computer Science and Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

49 Scopus citations

Abstract

An emerging Internet business is residential proxy (RESIP) as a service, in which a provider utilizes the hosts within residential networks (in contrast to those running in a datacenter) to relay their customers' traffic, in an attempt to avoid server- side blocking and detection. With the prominent roles the services could play in the underground business world, little has been done to understand whether they are indeed involved in Cybercrimes and how they operate, due to the challenges in identifying their RESIPs, not to mention any in-depth analysis on them. In this paper, we report the first study on RESIPs, which sheds light on the behaviors and the ecosystem of these elusive gray services. Our research employed an infiltration framework, including our clients for RESIP services and the servers they visited, to detect 6 million RESIP IPs across 230+ countries and 52K+ ISPs. The observed addresses were analyzed and the hosts behind them were further fingerprinted using a new profiling system. Our effort led to several surprising findings about the RESIP services unknown before. Surprisingly, despite the providers' claim that the proxy hosts are willingly joined, many proxies run on likely compromised hosts including IoT devices. Through cross-matching the hosts we discovered and labeled PUP (potentially unwanted programs) logs provided by a leading IT company, we uncovered various illicit operations RESIP hosts performed, including illegal promotion, Fast fluxing, phishing, malware hosting, and others. We also reverse engi- neered RESIP services' internal infrastructures, uncovered their potential rebranding and reselling behaviors. Our research takes the first step toward understanding this new Internet service, contributing to the effective control of their security risks.

Original language	English (US)
Title of host publication	Proceedings - 2019 IEEE Symposium on Security and Privacy, SP 2019
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	1185-1201
Number of pages	17
ISBN (Electronic)	9781538666609
DOIs	https://doi.org/10.1109/SP.2019.00011
State	Published - May 2019
Event	40th IEEE Symposium on Security and Privacy, SP 2019 - San Francisco, United States Duration: May 19 2019 → May 23 2019

Publication series

Name	Proceedings - IEEE Symposium on Security and Privacy
Volume	2019-May
ISSN (Print)	1081-6011

Conference

Conference	40th IEEE Symposium on Security and Privacy, SP 2019
Country/Territory	United States
City	San Francisco
Period	5/19/19 → 5/23/19

Bibliographical note

Funding Information:
ACKNOWLEDGMENT We are grateful to our shepherd Professor Matthew Smith and the anonymous reviewers for their insightful and helpful comments. The IU authors are supported in part by NSF 1408874, 1527141, 1618493, 1618898 and ARO W911NF1610127. Also, authors from Tsinghua University are supported in part by the National Natural Science Foundation of China (grant 61772307) and CERNET Innovation Project NGII20160403.

Publisher Copyright:
© 2019 IEEE.

Keywords

Anonymity
Embedded-systems-security
Malware-and-unwanted-software
Network-and-systems-security
Residential-IP
Residential-IP-proxy-as-a-service
Residential-proxy
Security-and-privacy-for-the-Internet-of-Things
Web-proxy

Publisher link

10.1109/SP.2019.00011

Find It

Find It at U of M Libraries

Cite this

Mi, X., Feng, X., Liao, X., Liu, B., Wang, X., Qian, F., Li, Z., Alrwais, S., Sun, L., & Liu, Y. (2019). Resident evil: Understanding residential IP proxy as a dark service. In Proceedings - 2019 IEEE Symposium on Security and Privacy, SP 2019 (pp. 1185-1201). Article 8835239 (Proceedings - IEEE Symposium on Security and Privacy; Vol. 2019-May). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/SP.2019.00011

Resident evil: Understanding residential IP proxy as a dark service. / Mi, Xianghang; Feng, Xuan; Liao, Xiaojing et al.
Proceedings - 2019 IEEE Symposium on Security and Privacy, SP 2019. Institute of Electrical and Electronics Engineers Inc., 2019. p. 1185-1201 8835239 (Proceedings - IEEE Symposium on Security and Privacy; Vol. 2019-May).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Mi, X, Feng, X, Liao, X, Liu, B, Wang, X, Qian, F, Li, Z, Alrwais, S, Sun, L & Liu, Y 2019, Resident evil: Understanding residential IP proxy as a dark service. in Proceedings - 2019 IEEE Symposium on Security and Privacy, SP 2019., 8835239, Proceedings - IEEE Symposium on Security and Privacy, vol. 2019-May, Institute of Electrical and Electronics Engineers Inc., pp. 1185-1201, 40th IEEE Symposium on Security and Privacy, SP 2019, San Francisco, United States, 5/19/19. https://doi.org/10.1109/SP.2019.00011

@inproceedings{4f0fbf505bad46c984b476623eb4ed7e,

title = "Resident evil: Understanding residential IP proxy as a dark service",

abstract = "An emerging Internet business is residential proxy (RESIP) as a service, in which a provider utilizes the hosts within residential networks (in contrast to those running in a datacenter) to relay their customers' traffic, in an attempt to avoid server- side blocking and detection. With the prominent roles the services could play in the underground business world, little has been done to understand whether they are indeed involved in Cybercrimes and how they operate, due to the challenges in identifying their RESIPs, not to mention any in-depth analysis on them. In this paper, we report the first study on RESIPs, which sheds light on the behaviors and the ecosystem of these elusive gray services. Our research employed an infiltration framework, including our clients for RESIP services and the servers they visited, to detect 6 million RESIP IPs across 230+ countries and 52K+ ISPs. The observed addresses were analyzed and the hosts behind them were further fingerprinted using a new profiling system. Our effort led to several surprising findings about the RESIP services unknown before. Surprisingly, despite the providers' claim that the proxy hosts are willingly joined, many proxies run on likely compromised hosts including IoT devices. Through cross-matching the hosts we discovered and labeled PUP (potentially unwanted programs) logs provided by a leading IT company, we uncovered various illicit operations RESIP hosts performed, including illegal promotion, Fast fluxing, phishing, malware hosting, and others. We also reverse engi- neered RESIP services' internal infrastructures, uncovered their potential rebranding and reselling behaviors. Our research takes the first step toward understanding this new Internet service, contributing to the effective control of their security risks.",

keywords = "Anonymity, Embedded-systems-security, Malware-and-unwanted-software, Network-and-systems-security, Residential-IP, Residential-IP-proxy-as-a-service, Residential-proxy, Security-and-privacy-for-the-Internet-of-Things, Web-proxy",

author = "Xianghang Mi and Xuan Feng and Xiaojing Liao and Baojun Liu and Xiaofeng Wang and Feng Qian and Zhou Li and Sumayah Alrwais and Limin Sun and Ying Liu",

note = "Funding Information: ACKNOWLEDGMENT We are grateful to our shepherd Professor Matthew Smith and the anonymous reviewers for their insightful and helpful comments. The IU authors are supported in part by NSF 1408874, 1527141, 1618493, 1618898 and ARO W911NF1610127. Also, authors from Tsinghua University are supported in part by the National Natural Science Foundation of China (grant 61772307) and CERNET Innovation Project NGII20160403. Publisher Copyright: {\textcopyright} 2019 IEEE.; 40th IEEE Symposium on Security and Privacy, SP 2019 ; Conference date: 19-05-2019 Through 23-05-2019",

year = "2019",

month = may,

doi = "10.1109/SP.2019.00011",

language = "English (US)",

series = "Proceedings - IEEE Symposium on Security and Privacy",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "1185--1201",

booktitle = "Proceedings - 2019 IEEE Symposium on Security and Privacy, SP 2019",

}

TY - GEN

T1 - Resident evil

T2 - 40th IEEE Symposium on Security and Privacy, SP 2019

AU - Mi, Xianghang

AU - Feng, Xuan

AU - Liao, Xiaojing

AU - Liu, Baojun

AU - Wang, Xiaofeng

AU - Qian, Feng

AU - Li, Zhou

AU - Alrwais, Sumayah

AU - Sun, Limin

AU - Liu, Ying

N1 - Funding Information: ACKNOWLEDGMENT We are grateful to our shepherd Professor Matthew Smith and the anonymous reviewers for their insightful and helpful comments. The IU authors are supported in part by NSF 1408874, 1527141, 1618493, 1618898 and ARO W911NF1610127. Also, authors from Tsinghua University are supported in part by the National Natural Science Foundation of China (grant 61772307) and CERNET Innovation Project NGII20160403. Publisher Copyright: © 2019 IEEE.

PY - 2019/5

Y1 - 2019/5

N2 - An emerging Internet business is residential proxy (RESIP) as a service, in which a provider utilizes the hosts within residential networks (in contrast to those running in a datacenter) to relay their customers' traffic, in an attempt to avoid server- side blocking and detection. With the prominent roles the services could play in the underground business world, little has been done to understand whether they are indeed involved in Cybercrimes and how they operate, due to the challenges in identifying their RESIPs, not to mention any in-depth analysis on them. In this paper, we report the first study on RESIPs, which sheds light on the behaviors and the ecosystem of these elusive gray services. Our research employed an infiltration framework, including our clients for RESIP services and the servers they visited, to detect 6 million RESIP IPs across 230+ countries and 52K+ ISPs. The observed addresses were analyzed and the hosts behind them were further fingerprinted using a new profiling system. Our effort led to several surprising findings about the RESIP services unknown before. Surprisingly, despite the providers' claim that the proxy hosts are willingly joined, many proxies run on likely compromised hosts including IoT devices. Through cross-matching the hosts we discovered and labeled PUP (potentially unwanted programs) logs provided by a leading IT company, we uncovered various illicit operations RESIP hosts performed, including illegal promotion, Fast fluxing, phishing, malware hosting, and others. We also reverse engi- neered RESIP services' internal infrastructures, uncovered their potential rebranding and reselling behaviors. Our research takes the first step toward understanding this new Internet service, contributing to the effective control of their security risks.

AB - An emerging Internet business is residential proxy (RESIP) as a service, in which a provider utilizes the hosts within residential networks (in contrast to those running in a datacenter) to relay their customers' traffic, in an attempt to avoid server- side blocking and detection. With the prominent roles the services could play in the underground business world, little has been done to understand whether they are indeed involved in Cybercrimes and how they operate, due to the challenges in identifying their RESIPs, not to mention any in-depth analysis on them. In this paper, we report the first study on RESIPs, which sheds light on the behaviors and the ecosystem of these elusive gray services. Our research employed an infiltration framework, including our clients for RESIP services and the servers they visited, to detect 6 million RESIP IPs across 230+ countries and 52K+ ISPs. The observed addresses were analyzed and the hosts behind them were further fingerprinted using a new profiling system. Our effort led to several surprising findings about the RESIP services unknown before. Surprisingly, despite the providers' claim that the proxy hosts are willingly joined, many proxies run on likely compromised hosts including IoT devices. Through cross-matching the hosts we discovered and labeled PUP (potentially unwanted programs) logs provided by a leading IT company, we uncovered various illicit operations RESIP hosts performed, including illegal promotion, Fast fluxing, phishing, malware hosting, and others. We also reverse engi- neered RESIP services' internal infrastructures, uncovered their potential rebranding and reselling behaviors. Our research takes the first step toward understanding this new Internet service, contributing to the effective control of their security risks.

KW - Anonymity

KW - Embedded-systems-security

KW - Malware-and-unwanted-software

KW - Network-and-systems-security

KW - Residential-IP

KW - Residential-IP-proxy-as-a-service

KW - Residential-proxy

KW - Security-and-privacy-for-the-Internet-of-Things

KW - Web-proxy

UR - http://www.scopus.com/inward/record.url?scp=85069816779&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85069816779&partnerID=8YFLogxK

U2 - 10.1109/SP.2019.00011

DO - 10.1109/SP.2019.00011

M3 - Conference contribution

AN - SCOPUS:85069816779

T3 - Proceedings - IEEE Symposium on Security and Privacy

SP - 1185

EP - 1201

BT - Proceedings - 2019 IEEE Symposium on Security and Privacy, SP 2019

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 19 May 2019 through 23 May 2019

ER -

Resident evil: Understanding residential IP proxy as a dark service

Abstract

Publication series

Conference

Bibliographical note

Keywords

Publisher link

Find It

Other files and links

Fingerprint

Cite this