FAST FLUX
BULLETPROOF HOSTING

We have come up with a strategy to be a truly independent when it comes to freedom of the press and data privacy. Our offshore countries are not a member of the European Union or The United States and, as such, can go on its own way. SilentExploits firm allows our customer considerable leniency in the kinds of material they may upload and distribute.

So, if bulletproof works like a normal hosting, is it as cool? 

After all, you only get one life. You might as well spend it working on something great. Unfortunately, the question is hard to answer. There is always a big time lag in prestige. It’s like light from a distant star. 

Bulletproof hosting provides you great work of safty encrytion. Strong as it will take five hundred years to crack. At the time, no one thought these encrypting were as important as we do today. So while I admit that Bulletproof doesn’t seem as cool as normal hosting now, we should remember that staying anonymous and encryption itself didn’t seem as cool in its glory days as it does now. It would have seemed very odd to people at the time that SilentExploits, would one day be known mostly as the guy with the strange nose in Bulletproof Hosting.

The country your server files are hosted determines which freedom of speech laws you are subject to. You may not know that the United States is actually behind countries like Suriname and Jamaica when it comes to freedom of the press, so don’t rest too easy thinking your country won’t ever come after you. Never worry of your privacy being leaked, we do not log neither do we take any of your data while you register for an order. We just need an email address to deliver your services and let you know when you need to pay again.

The goal of fast-flux is for a fully qualified domain name (such as www.example.com) to have multiple (hundreds or even thousands) IP addresses assigned to it. These IP addresses are swapped in and out of flux with extreme frequency, using a combination of round-robin IP addresses and a very short Time-To-Live (TTL) for any given particular DNS Resource Record (RR). Website hostnames may be associated with a new set of IP addresses as often as every 3 minutes. A browser connecting to the same website every 3 minutes would actually be connecting to a different infected computer each time. In addition, the attackers ensure that the compromised systems they are using to host their scams have the best possible bandwidth and service availability. They often use a load-distribution scheme which takes into account node health-check results, so that unresponsive nodes are taken out of flux and content availability is always maintained.

A second layer is often added for security and fail-over: blind proxy redirection. Redirection disrupts attempts to track down and mitigate fast-flux service network nodes. What happens is the large pool of rotating IP addresses are not the final destination of the request for the content (or other network service). Instead, compromised front end systems are merely deployed as redirectors that funnel requests and data to and from other backend servers, which actually serve the content. Essentially the domain names and URLs for advertised content no longer resolve to the IP address of a specific server, but instead fluctuate amongst many front end redirectors or proxies, which then in turn forward content to another group of backend servers. While this technique has been used for some time in the world of legitimate webserver operations, for the purpose of maintaining high availability and spreading load, in this case it is evidence of the technological evolution of criminal computer networks.

Fast-flux “motherships” are the controlling element behind fast-flux service networks, and are similar to the command and control (C&C) systems found in conventional botnets. However, compared to typical botnet IRC servers, fast-flux motherships have many more features. It is the upstream fast-flux mothership node, which is hidden by the front end fast-flux proxy network nodes, that actually delivers content back to the victim client who requests it. Flux-herder mothership nodes have been observed to operate successfully for extended periods of time in the wild.

These nodes are often observed hosting both DNS and HTTP services, with web server virtual hosting configurations able to manage the content availability for thousands of domains simultaneously on a single host. Until late March 2007, we observed the appearance of only two primary upstream mothership hosts deployed and serving the many thousands of domains in flux, suggesting that this technique was primarily developed and utilized by small number of groups or individuals. Domain registrations of .hk, and .info were found to be among the most heavily utilized TLDs for registering fast-flux domains, but this registration abuse is most certainly shared amongst all registrars (as occasionally .com and other TLD domains are also witnessed).

We have categorized two different types of fast-flux networks, single-flux and double-flux. Everything you have read up to this point discusses single-flux networks. Double-flux has an additional layer of protection by also constantly changing the IP addresses for the Authoritive Name Servers. Below we give examples of each, starting with single-flux.