Analyzing Malicious Websites with RIPE Atlas

What Is Ripe Atlas and How It Can Help

RIPE Atlas is a network of globally distributed probes that continuously measure Internet connectivity and performance, providing technical information about its operation. This sensor network allows performing user-defined measurements toward specific destinations. Different kinds of measurements can be performed:

• PING
• Traceroute
• DNS
• TLS
• HTTP (only for anchors)
• NTP

Below we’ll discuss an interesting feature of this project: geographic access of the different probes to the desired target. In other words, by knowing the location from which a measurement was taken, we can determine whether the site is accessible from that part of the world. This feature allows us to determine if a phishing attack is geographically targeted.

Using RIPE Atlas to Analyze Malicious Sites

Malicious websites can be analyzed using four different methods: PING, Traceroute, DNS, and TLS. Each method has advantages and disadvantages.

Let’s consider a basic malicious website, identified by a domain name and, optionally, a basic path. For example: http[s]://example.com/recurso_malicioso.

To perform these tasks, you’ll need an account at https://atlas.ripe.net/. Once logged in, go to “Measurements” and then “Create Measurement.” The following screen will appear:

Select the desired tool: PING, Traceroute, DNS, or TLS. The specifics of each method will be explained below.

Select the probes that will participate in the measurements, aiming for a uniform geographic distribution. Probes can be selected manually on a map or randomly. By default, a single measurement is configured, and the corresponding cost (in credits) is displayed below.

Once the telemetry is created, the probes will start taking measurements. Keep in mind that the time it takes to obtain results depends on how quickly all the probes complete the requested task. Before reviewing the results, we will first describe the differences between the different methods.

PING

This method uses ICMP messages distributed across the probes. It’s useful for identifying which probes can reach the suspicious IP address. Keep in mind that this option is effective when the malicious content is hosted on a single IP address that doesn’t share content.

Periodic scans can be scheduled to check whether the IP address remains active. It should be noted that not all servers respond to ICMP requests, so local tests must be run before using Atlas to measure the malicious site.

DNS

This is an interesting option, as it allows for highly customized DNS measurements. It’s useful for analyzing how DNS responses vary depending on the geographic area where the probes are located. Periodic measurements can be scheduled to follow the evolution of the IP addresses used by attackers and monitor the lifetime of the malicious domain.

This option is valuable for conducting highly customized DNS measurements and allows analyzing how responses vary based on the geographic location of the probes. Additionally, by scheduling these measurements periodically, it’s possible to track the evolution of the IP addresses used by attackers and monitor the lifetime of malicious domains.

Traceroute

If this method is selected, the probes will perform a traditional traceroute test, which consists of sending a sequence of ICMP, UDP, or TCP packets with increasing TTL (Time To Live) values ​​until the destination is reached. For our purposes, we will select the TCP protocol and use port 80 or 443, depending on whether the malicious site uses HTTP or HTTPS, respectively. We must also select either IPv4 or IPv6, as appropriate. It’s possible to include multiple measurements in a single telemetry session. For example, we can double-click the Traceroute button and configure a measurement for IPv4 and another one for IPv6.

TLS

This feature allows us to analyze certificates from malicious sites to determine their status, activity, and geographic location. It also identifies related domains and extracts the certificate’s fingerprint for further analysis.

Interpretation of the Data and Real-World Analyses

Once RIPE Atlas measurements have been performed, it’s essential to interpret the results accurately to identify patterns of suspicious behavior or confirm signs of malicious activity.

In this section, we will analyze the data collected using TLS, Traceroute, and DNS measurements. To illustrate these analyses, we selected a real-world phishing site and performed measurements from multiple globally distributed probes. These measurements allow:

• Detecting whether the domain is still active or has been deactivated
• Verifying whether it is accessible from all regions or applies geo-blocking
• Analyzing the network infrastructure used by the attackers
• Examining the digital certificates to identify potential patterns or links to other malicious campaigns

Analysis of a Real-World Phishing Attack

We will now illustrate how periodic RIPE Atlas measurements can be used. Let’s consider a phishing case targeting users in Uruguay.

This phishing scam impersonates the Uruguayan national post office with the aim of stealing personal data and credit card numbers.

Once the necessary information about the attack is collected, several reports are prepared and submitted to the proper entities for the removal of the malicious site, including CERTs and Whois abuse contacts.

A DNS measurement is performed with RIPE Atlas every ten minutes for four days to analyze the validity of the domains, including their IP assignments and any potential changes. Two measurements are performed: one for A records (IPv4), another for AAAA records (IPv6).

The results are shown in the graph below.

At approximately 5:38 PM UTC, the phishing incident was reported to the entities it involved. The selected probes showed DNS response times below 300 ms.

One hour after the report was submitted, 11 probes had stopped resolving the domain’s IP address. Some began returning blackhole IP addresses, suggesting that DNS protection was being used and had blocked access to the phishing site.

After 90 minutes of measurements, half of the probes had stopped resolving the domain. Shortly after, all probes stopped resolving it, marking the end of malicious activity on that domain.

Measurements stopped when the absence of an IP response was confirmed. However, they might be extended to monitor a potential reactivation of the domain under a new IP address.

It’s important to note that no IPv6 addresses were resolved by the probe during the period of activity.

Use Cases

The use of RIPE Atlas in this type of research provides a new and practical approach thanks to its geographically distributed sensors. Its main applications, limitations, and possible extensions are detailed below.

Analysis of Malicious Domains and IP Addresses

RIPE Atlas allows observing how domains used in phishing or malware distribution campaigns are resolved and responded to from various regions around the world. This is useful for identifying geographically targeted attacks or documenting targeted detection evasion.

Detecting Geoblocking

By running measurements from probes located in different countries, it’s possible to detect whether a malicious website is applying regional restrictions, making its content visible only to users in certain locations.

Tracking Infrastructure Changes

Scheduled measurements (such as DNS queries or Traceroutes) help monitor changes to the attackers’ infrastructure, including changes to IP addresses, network routes, or DNS servers.

Collecting Information to Support Incident Reports

Data obtained via RIPE Atlas supplements technical security reports, facilitating analyses by CSIRTs, CERTs, hosting providers, or domain registrars.

Supplementing Other Tools

RIPE Atlas can be integrated with other platforms to correlate TLS certificate data with other open sources and enrich the analysis.

Monitoring Potential Threat Domains:

RIPE Atlas allows measuring domains that could be used to launch attacks against our organizations. This includes IDN homograph attacks, where domains visually similar to ours are used to deceive users and conduct spoofing campaigns.

Limitations

It’s important to keep in mind that most website activity occurs in the upper layers of the TCP/IP model, particularly in the application layer. Although RIPE Atlas probes allow measurements that reach certain protocols in this layer (e.g., DNS and TLS), their focus is primarily connectivity and resolution testing, not interacting with the website content itself.

This represents a major limitation: it’s not possible to analyze the entirety of a website’s behavior directly at the application level, so aspects such as forms, redirects, geolocation-based access restrictions, or authentication mechanisms cannot be assessed. So, if a phishing site implements restrictions or dynamic behaviors in its web development, these cannot be evaluated using RIPE Atlas alone.

Conclusions and Call to Action

RIPE Atlas offers a powerful, geographically distributed tool for the technical analysis of malicious websites. It allows the detection of targeted campaigns, infrastructure changes, and evasive behavior. Although it does not replace other tools that focus on the application layer, it is a valuable complement that enhances incident reporting by incorporating distributed and objective evidence.

Researchers, threat analysts, and CSIRTs are encouraged to include RIPE Atlas in their analysis and incident reporting workflows. Its potential to provide technical evidence from multiple locations makes it a valuable tool against increasingly sophisticated malware and phishing campaigns. We also encourage automating measurements and combining results with other sources, such as certificate analysis engines or domain reputation systems, for a more comprehensive and effective monitoring.

For a detailed introduction to RIPE Atlas, we recommend watching a recording of the presentation at the LACNIC42 event:

Additional Resources

• Official Documentation:

https://atlas.ripe.net/docs

• Platform:

https://atlas.ripe.net