To take down a malicious website (one that distributes malware or impersonates another), an analysis of the website must first be conducted to properly inform the competent authority for its removal.
This article explores the use of RIPE Atlas, which uses globally distributed probes to assess the persistence and geographic reach of a malicious site.
Key Information for Investigating a Malicious Site
An investigation into a malicious site should collect, at a minimum, the following information:
(Free access, no subscription required)
Relevant dates: discovery, creation of the domain, takedown, etc.
Domain name(s)
URL
IP addresses
Source code
Screenshots or videos of the behavior
Contact details: domain registrant, holder of the IP address, CSIRTs/CERTs, etc.
Sometimes, phishing or malicious websites adopt mechanisms that complicate their takedown, such as the use of CDNs or hosting providers with identity protection for the site owner or geo-blocking, where the site is only accessible from specific geographic locations.
When reporting a malicious site, it’s important to include the geographic location from which the malicious content is accessible. This allows those receiving the report to replicate the malicious behavior that is being reported.
There are different methods for determining which locations can access the malicious content. One option would be to use VPN services or proxies, which provide an IP address corresponding to the country where we want to verify the malicious behavior. In this article, however, we’ll explain how to achieve this using RIPE Atlas.
Relevant dates: discovery, creation of the domain, takedown, etc.
Domain name(s)
URL
IP addresses
Source code
Screenshots or videos of the behavior
Contact details: domain registrant, holder of the IP address, CSIRTs/CERTs, etc.
Sometimes, phishing or malicious websites adopt mechanisms that complicate their takedown, such as the use of CDNs or hosting providers with identity protection for the site owner or geo-blocking, where the site is only accessible from specific geographic locations.
When reporting a malicious site, it’s important to include the geographic location from which the malicious content is accessible. This allows those receiving the report to replicate the malicious behavior that is being reported.
There are different methods for determining which locations can access the malicious content. One option would be to use VPN services or proxies, which provide an IP address corresponding to the country where we want to verify the malicious behavior. In this article, however, we’ll explain how to achieve this using RIPE Atlas.
What Is Ripe Atlas and How It Can Help
RIPE Atlas is a network of globally distributed probes that continuously measure Internet connectivity and performance, providing technical information about its operation. This sensor network allows performing user-defined measurements toward specific destinations. Different kinds of measurements can be performed:
PING
Traceroute
DNS
TLS
HTTP (only for anchors)
NTP
Below we’ll discuss an interesting feature of this project: geographic access of the different probes to the desired target. In other words, by knowing the location from which a measurement was taken, we can determine whether the site is accessible from that part of the world. This feature allows us to determine if a phishing attack is geographically targeted.
Using RIPE Atlas to Analyze Malicious Sites
Malicious websites can be analyzed using four different methods: PING, Traceroute, DNS, and TLS. Each method has advantages and disadvantages.
Let’s consider a basic malicious website, identified by a domain name and, optionally, a basic path. For example: http[s]://example.com/recurso_malicioso.
To perform these tasks, you’ll need an account athttps://atlas.ripe.net/. Once logged in, go to “Measurements” and then “Create Measurement.” The following screen will appear:
Select the desired tool: PING, Traceroute, DNS, or TLS. The specifics of each method will be explained below.
Select the probes that will participate in the measurements, aiming for a uniform geographic distribution. Probes can be selected manually on a map or randomly. By default, a single measurement is configured, and the corresponding cost (in credits) is displayed below.
Once the telemetry is created, the probes will start taking measurements. Keep in mind that the time it takes to obtain results depends on how quickly all the probes complete the requested task. Before reviewing the results, we will first describe the differences between the different methods.
PING
This method uses ICMP messages distributed across the probes. It’s useful for identifying which probes can reach the suspicious IP address. Keep in mind that this option is effective when the malicious content is hosted on a single IP address that doesn’t share content.
Periodic scans can be scheduled to check whether the IP address remains active. It should be noted that not all servers respond to ICMP requests, so local tests must be run before using Atlas to measure the malicious site.
DNS
This is an interesting option, as it allows for highly customized DNS measurements. It’s useful for analyzing how DNS responses vary depending on the geographic area where the probes are located. Periodic measurements can be scheduled to follow the evolution of the IP addresses used by attackers and monitor the lifetime of the malicious domain.
This option is valuable for conducting highly customized DNS measurements and allows analyzing how responses vary based on the geographic location of the probes. Additionally, by scheduling these measurements periodically, it’s possible to track the evolution of the IP addresses used by attackers and monitor the lifetime of malicious domains.
Traceroute
If this method is selected, the probes will perform a traditional traceroute test, which consists of sending a sequence of ICMP, UDP, or TCP packets with increasing TTL (Time To Live) values until the destination is reached. For our purposes, we will select the TCP protocol and use port 80 or 443, depending on whether the malicious site uses HTTP or HTTPS, respectively. We must also select either IPv4 or IPv6, as appropriate. It’s possible to include multiple measurements in a single telemetry session. For example, we can double-click the Traceroute button and configure a measurement for IPv4 and another one for IPv6.
TLS
This feature allows us to analyze certificates from malicious sites to determine their status, activity, and geographic location. It also identifies related domains and extracts the certificate’s fingerprint for further analysis.
Interpretation of the Data and Real-World Analyses
Once RIPE Atlas measurements have been performed, it’s essential to interpret the results accurately to identify patterns of suspicious behavior or confirm signs of malicious activity.
In this section, we will analyze the data collected using TLS, Traceroute, and DNS measurements. To illustrate these analyses, we selected a real-world phishing site and performed measurements from multiple globally distributed probes. These measurements allow:
Detecting whether the domain is still active or has been deactivated
Verifying whether it is accessible from all regions or applies geo-blocking
Analyzing the network infrastructure used by the attackers
Examining the digital certificates to identify potential patterns or links to other malicious campaigns
Analysis of a Real-World Phishing Attack
We will now illustrate how periodic RIPE Atlas measurements can be used. Let’s consider a phishing case targeting users in Uruguay.
This phishing scam impersonates the Uruguayan national post office with the aim of stealing personal data and credit card numbers.
Once the necessary information about the attack is collected, several reports are prepared and submitted to the proper entities for the removal of the malicious site, including CERTs and Whois abuse contacts.
A DNS measurement is performed with RIPE Atlas every ten minutes for four days to analyze the validity of the domains, including their IP assignments and any potential changes. Two measurements are performed: one for A records (IPv4), another for AAAA records (IPv6).
The results are shown in the graph below.
At approximately 5:38 PM UTC, the phishing incident was reported to the entities it involved. The selected probes showed DNS response times below 300 ms.
One hour after the report was submitted, 11 probes had stopped resolving the domain’s IP address. Some began returning blackhole IP addresses, suggesting that DNS protection was being used and had blocked access to the phishing site.
After 90 minutes of measurements, half of the probes had stopped resolving the domain. Shortly after, all probes stopped resolving it, marking the end of malicious activity on that domain.
Measurements stopped when the absence of an IP response was confirmed. However, they might be extended to monitor a potential reactivation of the domain under a new IP address.
It’s important to note that no IPv6 addresses were resolved by the probe during the period of activity.
Use Cases
The use of RIPE Atlas in this type of research provides a new and practical approach thanks to its geographically distributed sensors. Its main applications, limitations, and possible extensions are detailed below.
Analysis of Malicious Domains and IP Addresses
RIPE Atlas allows observing how domains used in phishing or malware distribution campaigns are resolved and responded to from various regions around the world. This is useful for identifying geographically targeted attacks or documenting targeted detection evasion.
Detecting Geoblocking
By running measurements from probes located in different countries, it’s possible to detect whether a malicious website is applying regional restrictions, making its content visible only to users in certain locations.
Tracking Infrastructure Changes
Scheduled measurements (such as DNS queries or Traceroutes) help monitor changes to the attackers’ infrastructure, including changes to IP addresses, network routes, or DNS servers.
Collecting Information to Support Incident Reports
Data obtained via RIPE Atlas supplements technical security reports, facilitating analyses by CSIRTs, CERTs, hosting providers, or domain registrars.
Supplementing Other Tools
RIPE Atlas can be integrated with other platforms to correlate TLS certificate data with other open sources and enrich the analysis.
Monitoring Potential Threat Domains:
RIPE Atlas allows measuring domains that could be used to launch attacks against our organizations. This includes IDN homograph attacks, where domains visually similar to ours are used to deceive users and conduct spoofing campaigns.
Limitations
It’s important to keep in mind that most website activity occurs in the upper layers of the TCP/IP model, particularly in the application layer. Although RIPE Atlas probes allow measurements that reach certain protocols in this layer (e.g., DNS and TLS), their focus is primarily connectivity and resolution testing, not interacting with the website content itself.
This represents a major limitation: it’s not possible to analyze the entirety of a website’s behavior directly at the application level, so aspects such as forms, redirects, geolocation-based access restrictions, or authentication mechanisms cannot be assessed. So, if a phishing site implements restrictions or dynamic behaviors in its web development, these cannot be evaluated using RIPE Atlas alone.
Conclusions and Call to Action
RIPE Atlas offers a powerful, geographically distributed tool for the technical analysis of malicious websites. It allows the detection of targeted campaigns, infrastructure changes, and evasive behavior. Although it does not replace other tools that focus on the application layer, it is a valuable complement that enhances incident reporting by incorporating distributed and objective evidence.
Researchers, threat analysts, and CSIRTs are encouraged to include RIPE Atlas in their analysis and incident reporting workflows. Its potential to provide technical evidence from multiple locations makes it a valuable tool against increasingly sophisticated malware and phishing campaigns. We also encourage automating measurements and combining results with other sources, such as certificate analysis engines or domain reputation systems, for a more comprehensive and effective monitoring.
Don’t miss the presentation on the topic at LACNIC44. Register here to participate in person or remotely.
