K
Story
Aisuru botnet shifts from DDoS to residential proxies
In the last few months I've seen many advertisements for a device they call the "Super Box" - it's essentially an (Android based?) IPTV device with every channel imaginable. The people I know with them paid around $300 and there isn't a monthly fee.

I have a hunch they're trading free TV for becoming a residential proxy unknowingly. Would love to capture network traffic from one and see what's really going on.

The fact that people are willing to buy these super sketchy devices and plug them into their networks without a second thought is kinda scary.

Well didn't lookup Super Box but I assume it's less sketchy than you image.

It probably just pulls from something like https://github.com/iptv-org/iptv and so the provider of Super Box doesn't have to maintain pretty much anything or use any of their own bandwidth. So the $300 minus the cost of the hardware is the profit and they don't have real reoccurring costs.

I don't believe so. These boxes provide access to premium TV channels and live sports, not just public broadcasting.
Premium TV channels and live sports have publicly accessible IPTV streams, though. Undocumented != nonpublic.
  • anjel
  • ·
  • 1 month ago
  • ·
  • [ - ]
On tiktok, "superboxes" get pushed but hard, for $2-300 a device.
  • anjel
  • ·
  • 1 month ago
  • ·
  • [ - ]
The pirate IPTV industry has a pirating problem of its own
  • nodja
  • ·
  • 1 month ago
  • ·
  • [ - ]
I've never seen a $300 one but I've seen $70 ones. I don't think they're nefarious in that sense, but these boxes are usually scams.

They come preloaded with a pirate iptv service that only works for 1-2 months then they ask you to pay something like $70/year to keep watching. There's tons of providers for these IPTV services so bundling them with the boxes is a way to make it easy to access while gaining subscriptions, you can just buy a cheap android TV box yourself, install the apk and get a cheaper IPTV provider.

Most of these boxes/providers don't last more than a couple years as authorities tend to go after them when they get too big. My dad uses them to watch portuguese TV--it would be impossible to watch certain channels outside the country otherwise--and in the past 10 years he changed provider 3-4 times.

Similarly most fire stick pirate streaming and side loading tutorials use an app called “downloader” which includes a URL shortener. Users are given an 8 digit “downloader code” and most blindly download and sideload APKs on their device. Probably a field day for anyone wanting to bundle and distribute malware.

https://troypoint.com/best-downloader-codes/

These have been a thing for a while - check your local Craigslist for "fully loaded" Fire sticks or other streaming TV devices. I wouldn't be surprised at all if you're correct - these devices are marketed to technically unsophisticated users, by vendors who have every incentive to maximize profit.
They’re generally not selling a million of these or even tens of thousands of these, so setting up residential proxy software on the boxes would almost certainly not be worth the time spent.
I wouldn't expect the installers to be setting a proxy network themselves, but rather acting as an affiliate for an existing network and collecting commissions from that.

Alternatively, I wouldn't be surprised if some of the apps installed on these devices have their own embedded malware - the operators of the pirate TV networks are looking to get paid, too.

The affiliate fees paid per install by the proxy networks are very small.
I've also seen these marketed as "Kodi boxes".
The value of a single residential proxy is so low that the scheme you’re proposing is utterly ridiculous.
  • sieep
  • ·
  • 1 month ago
  • ·
  • [ - ]
Very fascinating. I saw multiple people predict that these ddos attacks were just advertisement for the Aisuru services.

How can regular users of Android, smart TV's, etc. identify these IoT devices that have been compromised?

I guess the increased bandwidth should at least show up on the ISP bill since that's the only place anyone would notice.

But we're pretty far from having a system that isn't perfect for botnets and malicious proxies hiding on your network.

Kinda crazy how my ISP doesn't even show me my usage on the bill. But then again every time I call them for something, they try to convince me I need something more than the minimum plan, and they're BS depends on me not knowing which tier I need.

> I guess the increased bandwidth should at least show up on the ISP bill since that's the only place anyone would notice.

Not sure about other places, but where I live ISPs don't have bandwidth limits over which they make you pay an extra. In extreme cases they might suspend service if your usage is deemed abusive though, but I never heard of this happening to people I know IRL.

Sure. And that's yet another enabler of the status quo where malicious actors have infinite resources: every compromised computer or internet of shit product has unmetered high quality residential bandwidth.
realistically? not much regular joe can do.

advanced users can segregate all their iot crap into separate network which allows keeping an eye on what goes on in there. but you need to know what your normal safe baseline looks like to be able to identify something weird happening.

of course there is lot of fancy tools built around this topic too, stuff like zeek and suricata almost certainly could be used to identify possible compromises. especially in a separate iot network, which should have otherwise fairly regular traffic patterns. but realistically, idk if anyone has been very successful in implementing such detection.

I recently heard that a group at Cardiff University is moving to commercialize what was their PHD thesis on this topic.

https://orca.cardiff.ac.uk/id/eprint/147062/1/AnoML.pdf

Saw them working on their elevator pitch last week.

Edit: I posted the wrong paper. Not sure why that was in my clipboard. It's this: https://orca.cardiff.ac.uk/id/eprint/176813/1/Mohammed_PAPER...
  • ·
  • 1 month ago
  • ·
  • [ - ]
recently had to research "residential proxy", and the number of websites that claim that they have millions of IPs on hand was very strange. then the fact that a lot of them work in the exact same way, and a lot of them accepted payment mostly in crypto was very strange. so now connecting the dots, makes sense now why these "residential proxy" websites looked and worked the same way
also note that all of them claim that their residential proxies are "ethically sourced" (unlikely their competitors, I guess?)

there's no such thing as an ethically sourced residential proxy.

Additionally, there's almost no ethical use for a residential proxy. The purpose is always to deceive, at best you get lightly unethical uses like "avoiding georestrictions on IP distributors like netflix", or "avoiding controls in dictatorships" which is acknowledging that it is used to break the law, but maybe it's the wrong kind of law.

Even these soft reasons to use VPNs and residential proxies are like an alibi for bad actors, is IP 25.14.xx.xx creating a fake account on twitter to spread malware or is he downloading a show that wasn't available before? I guess we'll never know such are the limits of privacy I guess.

What laws are you breaking using a residential VPN to access Netflix?
It's analogous to people using other people's accounts (with or without their well-informed permission) for small to moderate amounts of illegal transactions. It's a simple strategy but it's actually very hard for authorities to completely stop as your illicit activity gets lost in the huge amount of everyday noise
Some sites block entire countries or even apply GDPR restrictions to Africa
I've been thinking about building an actually-ethical residential proxy system, for censorship-evasion purposes.

The internet in a growing number of countries is censored, but different content categories are censored in each jurisdiction. Many sites and services also block known VPNs (i.e. non-residential IPs), so that doesn't work as a bypass in all cases.

I have trusted friends in other countries, so by mutual agreement we could set up wireguard links for each other to use (subject to agreed terms). It just needs some way to intelligently route traffic depending on which jurisdictions will allow which requests (i.e. "which is the lowest-latency link that will allow this request").

> I've been thinking about building an actually-ethical residential proxy system, for censorship-evasion purposes.

That thing already exist and is called Tor Snowflake.

That's not the same as what I'm suggesting.
The issue with this is in many authoritarian nations they will see your Wireguard link and block it. Or even knock at your door.
And the concept of web of trust and signing parties just gets more and more valuable for each day!
  • dewey
  • ·
  • 1 month ago
  • ·
  • [ - ]
> there's no such thing as an ethically sourced residential proxy.

There is, just like you giving your attention and cpu to watch free ad supported content on the internet. It's the same in apps that give users access for free in return for bandwidth, or free VPNs that allow you to share bandwidth. There's also ISP "residential" proxies where ISPs re-sell some of their address space to proxy providers.

So it's ethical to bypass bot restrictions and rate limits by pretending to be a bunch of residential connections?
If it’s to enable users to fetch their own data, it’s absolutely ethical. These websites can offer API’s so people can access their own data “above the board” but instead make it incredibly difficult.
"Users fetching their own data" is probably less than a hundredth of a percent of traffic passing through residential proxies, I'd even bet some money on that.
Yeah, if that's your use case, why not just use a regular datacenter proxy?
  • dewey
  • ·
  • 1 month ago
  • ·
  • [ - ]
Not much different than blocking access to people without JS enabled, blocking people stuck behind NAT, blocking whole countries or require them to solve Cloudflare captchas.
What does any of this have to do with residential proxies? If you can't access a website because you have disabled JS, you won't be able to access that website with a residential proxy either.
  • dewey
  • ·
  • 1 month ago
  • ·
  • [ - ]
I was referring to the fact that many websites block / force users to use the resource in a certain way, why shouldn't they in return have the right to bypass these restrictions.
A residential proxy can not be used to bypass the restriction on JavaScript. Regarding the other items on your list, sure, a residential proxy could be used, but why do you need it? Why not a regular datacenter proxy?
  • dewey
  • ·
  • 1 month ago
  • ·
  • [ - ]
This was a general statement, no need to nitpick every detail. DC proxies are not as accurate for geolocation, they are also often flagged as such or face higher scrutiny from bot protections.
Okay, sure, in theory someone could use a residential proxy to evade unjust blocking. Whether that has happened at any point in history or not, I'm not sure.

In practice, the vast majority of residential proxy usage would be for other (non-ethical) purposes.

Their are services that allow users to share their bandwidth in return for some cents per GB, a way to passively earn income.
  • ·
  • 1 month ago
  • ·
  • [ - ]
Why there is no protocol that would allow a network to request blocking traffic from a subnet or network? For example, AS X doesn't want any traffic from Y, and all operators between X and Y block traffic from Y to X.

To motivate lazy network operators, this protocol should be linked with financial conditions: an operator who doesn't honor the request, gets significantly reduced payment for this month's traffic.

I see weak people whining about attacks for like 10 years, and nobody changes anything. It's easier to blame evil hackers than fix their own broken poorly designed systems.

To give specific example, imagine a business which has 95% customers in developed country A, but receives 99% web requests from developing countries (DDoS attacks mainly come from there). It makes financial sense to cut off those countries first and after than figure out what happened.

The finances work the other way around: you can often pay your transit/upstream providers an additional fee for their DDOS protection/filtering service, where you can signal (via BGP or otherwise) that there's traffic you don't want to receive. BGP Flowspec (or similar) is one of the technologies used here.
The capabilities offered by the protocol you're envisioning already exist in the form of firewall rules and BGP peering agreements.

Most websites and networks would suffer more from blocking residential ISP traffic than they do from misuse of residential ISP traffic, though...

No. If you have majority of customers in country A, but the attack comes from country B, it is better to cut off B to keep the web services working.

BGP doesn't allow to stop attacks this way as I understand.

what if the attack comes from country A too? my understanding is they try to get botnets and residential proxies in large Western countries to avoid being filtered by IP range already.
> ... renting hundreds of thousands of infected Internet of Things (IoT) devices to proxy services...

And that's why I will never buy any IoT devices that require an internet connection to work. Only IoT devices in my house are those that connect to my own server and never see the light of the internet.

Your IoT is an Intranet of Things then, checks out!
So not only are AI companies stealing content, they’re actively funding criminal organisations too. Wonderful
They're funding criminal organizations in the same way you're funding one if you get your hair cut at a hair salon which works as a front for money laundering.

That is, mostly unknowingly, perhaps suspecting what's going on, but politely trying to ignore it for their own convenience.

A hair salon is a legitimate business. "Residential proxies" have very little legitimate use, and are sourced by unethical means, so it's not a fair comparison.
>"Residential proxies" have very little legitimate use

You have to be joking. Having seen a list of biggest Luminati contracts, legitimate use makes up probably well over 90% of traffic via these services.

It’s companies like Expedia and OpenAI, not Nigerian princes.

Yeah sure, fraud happens. Those customers aren’t even lucrative because posting scam ads on Craigslist or wherever does not use much bandwidth. Criminals also use Google search.

And why is OpenAI using residential proxies instead of their own or some datacenter address space? Are they not using the proxies to steal data from unwilling website operators? I would count that as an illegitimate use. If they can't operate openly and have to bypass restrictions, they are doing something shady.
How would OpenAI routing requests through an Aisuru-compromised IoT botnet member be "legitimate"?

Besides the small matter of the victim in the arrangement, the entire reason OpenAI does it is ban evasion, which is not legitimate.

Watching netflix is plenty legitimate in my book.
Netflix execs trying to restrict account sharing and implementing region locks wouldn't agree with that ;)

I think it is a valid reason to use residential proxies as an individual (because I think that these region locks and other restrictions are bs), but if a company does that to bypass crawling restrictions - it is wrong.

  • ·
  • 1 month ago
  • ·
  • [ - ]
About the ethics of residential proxies: Brightdata, which sells a residential proxy, blocks their own proxy when you point it to brightdata.com.

The fact that they don't allow you to use their service to scrape their own domain, tells you something about their ethics...