Parler is Parked

parler.com is resolving again. It’s got a parked page saying, essentially, they’ll be back soon. The IP address is hosted by ddos-guard.com, which just dumped 8chan/8kun over the Capitol Insurrection. So… I’m not sure how that’s working. Also, DDoS-Guard is a shell company owned by two Russians and registered in Scotland.

So… Russian DDoS protection that just dumped 8kun for its role in the Capitol Insurrection has taken on Parler? WTF?

5 Likes

I doubt dumping 8kun has anything to do with any kind of line they won’t cross. Probably just covering their asses.

https://krebsonsecurity.com/tag/ddos-guard/

In October 2020, KrebsOnSecurity looked at how a web of sites connected to conspiracy theory movements QAnon and 8chan were being kept online by DDoS-Guard , a dodgy Russian firm that also hosts the official site for the terrorist group Hamas . New research shows DDoS-Guard relies on data centers provided by a U.S.-based publicly traded company, which experts say could be exposed to civil and criminal liabilities as a result of DDoS-Guard’s business with Hamas.

5 Likes

Apparently, the daily stormer is on their client list, so dropping 8kun is likely for other reasons than what they’ve stated.

This sure isn’t helping parler look like it isn’t part of Russia’s psyops.

Twitter warning label: there is no concrete proof that Russian intelligence is backing parler.

3 Likes

Can nerds with more knowledge of these things enlighten me? If these platforms return to service, what is stopping ISPs from blocking them wholesale? There is a de facto monopoly for most Americans (especially with anything approaching acceptable speeds), so what’s stopping Charter, Comcast, Verizon et al from simply blocking them legally, technologically, and theoretically?

2 Likes

I’m not being flippant, but nothing is stopping ISPs from DNS blackholing parler.com. I do this to a huge list of domains that peddle in ads and trackers on my home network. The ISP that blocked twitter last week was well within their legal rights:

The legal framework we had to stop this kind of thing were the net neutrality rules.

For an individual, using a VPN service would allow you to circumvent these kinds of blocks.

(Edit: all of the above applies to both DNS based and IP based blocks)

3 Likes
1 Like

This is what I meant by “parked”. They have a splash page promising to come back. They are not back up. It takes mere minutes to put that page together. That it took most of a week to get that done is embarrassing. Maybe we’ll get to see how long it takes to get a full backend running again.

(Which, unfortunately, I think is likely, as it sounds like AWS is giving them access to get their data back. Boo.)

1 Like

any truth to this?

1 Like

He’s being really loose with his definition of “back online”. Their DNS entry is resolving, and if you hit the IP it points to, port 443 is open and has a valid TLS certificate (from Let’s Encrypt). The IP I’m seeing right now is 190.115.31.151. It’s resolving consistently to that IP address for me (but I only tried twice just now, however, it looks like the one I was getting the other day, the WHOIS record certainly looks to be the same one). The page is literally just a splash page. It has no javascript and no links to do anything like login or go to a particular user page. There is a prominent link to a Fox News article which covers John Matze saying the service will be back in about a month.

WHOIS thinks that block (190.115.16.0/20) is owned by DDOS-GUARD CORP, and the listed responsible party is Evgeniy Marchenko, who is one of the two owners of DDoS Guard. The registered address is in Belize.

The other listed physical address is in Ecuador. The only listed email address is xengine@mail.ru.

Neustar’s geoip database thinks the IP address is in Belize (and it’s probably just using the WHOIS information for that).

The trail goes cold at 190.115.31.151. That’s clearly a proxy hosted by DDoS Guard and we don’t actually know anything about where the static page is being hosted. I would bet its on one of Epik’s servers.

They don’t have a backend built out. They did manage to recover all their data from AWS. A month to get back online screams incompetence (given that they have hosting and their data).

There isn’t great evidence that any of the servers are located in the Russian Federation. There is evidence that their front door is managed by citizens of the Russian Federation. And that that company has a pretty weird/questionable legal registration.

Their DNS provider is US company, and its front door has an IP address listed as located in London.

Both Epik and DDoS Guard have very checkered reputations and a very ugly list of customers.

I’m betting their backend does wind up in Russia, but right now, Vickery is being way more confident in his claims than I can find public evidence for. And, FWIW, my professional creds are about as good as his. I’m an SRE with a sub specialty in security engineering. He’s a manager of a security research group. They might have something I haven’t uncovered, and they might be spending more time on it. Or he’s overselling the DDoS Guard Russia connection ¯_(ツ)_/¯

3 Likes

OK. I don’t know if you are baffling me with bullshite or dazzling me with your brilliance, because I didn’t understand 90% of what you wrote. :grin: I just thought it was an interesting method of trying to get back on line.

2 Likes

The tools for sussing this stuff out are pretty simple and ship with most Linux distributions. I don’t remember if they ship on MacOS, but you can certainly install them there. Likewise for Windows 10 (particularly if you have WSL installed).

I’m using the dig command to get IPs for domains and the whois command to lookup registration information for both domains and IP address blocks (it’s smart enough to figure out whether I fed it a DNS name or an IP address, and for the latter, it will work out the CIDR of the block for you).

I don’t strongly endorse Neustar, it’s just the first tool the popped up when I googled for geoip lookup tool.

To figure out the TLS cert, I used openssl s_client -host parler.com -port 443 and then hit ctrl-d to close the connection without sending an HTTP request.

Ha! I just finished typing up the above to show my work and allow you and others to duplicate it :slight_smile: I’m an SRE. I try to be a pretty straight shooter. I judge my work on real metrics like uptime and latency and server load. And all of those are harsh, unforgiving standards that allow for no wishful thinking. (Which is part of why all this right wing alternative facts horseshit is so offensive to me. Must be nice to live in a fantasy world that coddles your whims.)

Feel free to ask more questions.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.