Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


in the name of big station: focusing on the network infrastructure of underground industry

Posted by bax at 2020-03-14

[history update record]


At the Qihu Network Security Research Institute (NetLab @ 360. CN), we have established a DNS based abnormal traffic monitoring system, which will detect a number of abnormal traffic and the corresponding domain name / IP every day. Usually these detected domain names / IPS belong to the underground industry chain.

However, we noticed that some strings representing well-known companies also appeared in these checked out domain names, including 360, Ali, Baidu, cloudflare, DNSPod, Google and Microsoft. Through analysis, we think that this is someone who pretends to use the name of big station to provide network infrastructure services for underground industries such as gambling, pornography, private service, etc.

The infrastructure structure is complex, the operation time is long, the support ability is strong, the actual support of tens of thousands of black gray stations, has formed a mature underground industrial ecosystem.

Domain name and counterfeit brands

The domain names we detected are as follows.

If you only look at domain names, these domain names look like CDN services provided by big stations. But the analysis shows that these domain names are actually some kind of infrastructure, serving for gambling, pornography, private services and other underground industries.

Complex network infrastructure based on the above domain name

Through passviedns, we can see the DNS resolution records of such domain names. In addition to providing services directly to end users, they also provide CNAME to other domain names, forming a complex infrastructure network. This network has real underground industry users. Some nodes have long operation time, large user visits, clear business types, and mature support the black and gray industry chain.

The list of these fake CDN sites and some pre / post sites observed is as follows:

The relationships behind these infrastructure networks are complex, such as:

Evaluation of the infrastructure network and its users

Based on these domain names, we extract relevant records from passivedns, summarize the following data, and evaluate the network from the stability of the domain name, the diversity of subdomain names and the number of visits.


In addition, observe the daily business peak, the daily peak of is about 23 to 0 every night. This time point is also consistent with the type of business it carries (gambling, porn sites are more active in the early morning).

As mentioned before, the main users of the network are gambling, pornography and private service websites. The user base of the whole network is very large, some numbers:

IP infrastructure

The IP addresses of these domain names are mainly distributed in the United States, Hong Kong, China and India. Among them, the business distribution in the United States, Hong Kong and the abuse of Pan analytic construction site group (DWA) we have seen before is very similar. In China, IP is mainly concentrated in data centers, which often claim to provide so-called high protection services. Based on these data centers, some anti DDoS capabilities can be obtained.

Compared with the regional distribution, the as distribution of these IPS is more scattered. The specific distribution is shown in the figure below:

It is worth noting that AS8075 Microsoft Corporation and AS45090 Shenzhen Tencent Computer Systems Company Limited at the top belong to Microsoft Corp and Tencent Inc respectively. The domain names using these two as are mainly Google and Microsoft The two domains also use the services of as58593 Microsoft (China) Co., Ltd., as15169 Google Inc. and as45102 Alibaba (China) Technology Co., Ltd. in different periods.

If not carefully analyzed, at first glance, does Microsoft seem to use Microsoft's as harmoniously? However, they do belong to different organizations, and their business scope is one sunshine road and one single wooden bridge. A very interesting phenomenon.

The team behind it

From the whois information of these domain names, they should belong to several groups.

In the above figure, the same colored cell indicates the domain name registered by the same group of people. It cannot be determined that the domain name belongs to is not colored. Considering the complexity of the network mentioned above, it is possible that some of the small groups in the above table can be attributed to a large group.

The earliest Microsoft can be traced back to May 4, 2015, and the latest was registered on December 29, 2016. In terms of the validity period of domain name registration, most domain names are valid for one year, but and are 5 and 7 years respectively. It can be seen that these people are ready to do this work for a long time.

Of the 21 domain names mentioned above, 5 use privacy protection. Using 360netlab's whoisdb database (for more data, please refer to Appendix 1), we conduct a reverse check on registrants who do not take privacy protection measures, basically excluding the possibility of focusing on domain name trading business "rice farmers", and note that different registrants tend to focus on their respective business segments:

Update on January 16, 2017: after the original version of the article was released, some readers mentioned that they hope to analyze the IP address sharing of these servers. For completeness, we have supplemented the following parts, as shown in the figure below, with the following conclusions:


With Chinese characteristics, it is not uncommon for special sites of gambling, pornography and other businesses to use anti-D services or even special network infrastructure for black ash production. But domain names with "big station" strings are more interesting. This paper analyzes these domain names including "big station" strings from the perspectives of whois information, active time in passive DNS, and using IP. Several clear conclusions can be drawn:

Through this paper, I hope to have a new understanding of gray business and its infrastructure. For these domain names that provide basic services for gray business in the name of "big station", we will continue to track and observe their subsequent development.

Appendix: list of whois associated domain names of counterfeit CDN