Uncontrolled PCDN: Observation and Case Analysis of the Current State of PCDN Technology

Author: Knownsec 404 Active Defense Team
Date: November 22, 2024
中文版：https://paper.seebug.org/3242

Background Introduction

In October 2024, Knownsec 404 Active Defense Team detected abnormal traffic on a client’s website, which was suspected to be under a CC attack. Upon analysis, this CC attack appeared to be conducted by a PCDN provider for the purpose of balancing upstream and downstream traffic through illicit traffic generation on the client’s video files.

During the investigation and analysis, we discovered that the development of PCDN technology is gradually spiraling out of control. To delve deeper into this issue, we conducted an investigation and analysis of the current state of PCDN technology and its underlying industry chain. Additionally, we performed a traceability analysis to identify the perpetrators behind this CC attack.

Current Status of PCDN

Introduction to PCDN

PCDN (Peer-to-Peer Content Delivery Network) is a content distribution acceleration network that combines P2P technology with CDN technology. Its core idea is to utilize the idle bandwidth and storage resources of user devices to provide efficient, low-cost content distribution services.

Unlike traditional CDNs that require the deployment of CDN server nodes in data center facilities, PCDN networks directly use user terminals as PCDN nodes. When users access content, they can directly obtain data from other users, significantly reducing the demand for data center resources.

However, PCDN also has significant drawbacks. The massive traffic volume of PCDN places enormous pressure on the backbone transmission networks of telecommunications operators. Since users’ broadband is usually billed based on monthly peak limits rather than actual data usage, the more data users consume before reaching their peak limit, the higher the cost borne by the telecommunications operators.

Taking Shanghai as an example, both residential packages and business broadband packages with at least 100Mbps bandwidth are available. China Telecom offers a residential package with 1000Mbps downstream and 100Mbps upstream for only 229 RMB per month [1]. In contrast, a business broadband package with symmetrical 100Mbps upstream and downstream costs 1910 RMB per month [2].

The significant cost difference between the two has driven internet companies to actively promote the adoption of PCDN technology. By utilizing the resources of residential broadband, PCDN technology allows a large amount of traffic that would normally go through business broadband to instead use residential broadband routes, greatly reducing the costs for enterprise users.

The Confrontation Between PCDN Manufacturers and Operators

While the promotion of PCDN technology has indeed reduced costs for businesses, it has also increased costs for operators to some extent, affecting their profits. Since the beginning of this year, operators across various regions have intensified their crackdown on the use of residential broadband as PCDN nodes. The upstream traffic of PCDN nodes far exceeds the downstream traffic, whereas in normal residential broadband, the downstream traffic greatly surpasses the upstream traffic. Some operators use this difference in the ratio of upstream to downstream traffic to identify PCDN nodes.

To evade the inspections of telecom operators, PCDN manufacturers must disguise the traffic characteristics of PCDN nodes to match those of regular residential broadband, making the upstream and downstream traffic equivalent. Consequently, PCDN manufacturers have begun to aggressively hijack downstream traffic. To efficiently hijack downstream traffic, PCDN manufacturers target BT nodes that contain a large number of resource files, as well as various websites hosting mirror files, installation packages, and audio/video resources.

The behavior of PCDN manufacturers hijacking downstream traffic exhibits the following characteristics:

1. The attack IPs are mostly residential broadband and often from the same province: When operators in a certain region crack down on PCDN nodes, PCDN manufacturers control local PCDN nodes to simulate download traffic, disguising it as regular residential broadband;
2. The timing of the hijacking is relatively fixed, with consistent User-Agent headers and Referer headers;
3. The targets of the hijacking are often resource files with large data volumes.

Stakeholders in the PCDN Industry

Throughout the entire PCDN industry, several key roles can be identified:

1. Internet companies seeking affordable, high-quality content acceleration services;
2. PCDN manufacturers building PCDN networks to earn profits;
3. PCDN bounty users who sell their bandwidth and computing resources to earn rewards;
4. Operators needing to protect their own interests;
5. Organizations involved in black or gray markets that require content acceleration services or exploit vulnerabilities to set up PCDN nodes;
6. Potential black or gray market practitioners providing hijacking tutorials or services.

Among these, PCDN manufacturers and PCDN bounty users share essentially aligned interests. Both seek to profit by utilizing the inexpensive bandwidth resources of residential broadband, and thus can be considered as a single role (hereinafter referred to collectively as PCDN manufacturers).

Internet companies offering live streaming and video services need to reduce their costs by using inexpensive PCDN traffic. They either build PCDN nodes within their own clients or purchase traffic from PCDN manufacturers. For example, the iQIYI client uses HCDN technology (a hybrid of traditional CDN and P2P network technology for content distribution) to accelerate user experience [3].

PCDN manufacturers acquire PCDN nodes either by setting them up themselves or through bounty recruitment, and then sell the PCDN traffic resources to other companies in need. They have control over the PCDN nodes, allowing for the efficient management of PCDN network resources. For example, Alibaba’s Node Sharing Platform recruits nodes, requiring users to provide login permissions and reset passwords [4].

We analyzed 70 major companies involved in the PCDN business and found that 67 of them use cash as bounties, while 3 use points (which can be exchanged for cash and gifts) to recruit PCDN nodes. PCDN bounty users earn rewards from PCDN manufacturers by deploying relevant software and hardware locally. This recruitment method allows PCDN manufacturers to quickly deploy PCDN nodes and gain more traffic resources.

Operators are affected on two fronts: firstly, the reduced demand for traditional CDN services from internet companies offering live streaming and video services impacts their revenue. Secondly, the deployment of PCDN nodes by residential broadband users increases backbone network traffic and operational costs. Additionally, with the three major telecom operators starting internal inter-provincial traffic settlement this year [5], local operators must intensify their efforts to combat PCDN nodes to maintain their profits.

In early 2024, Qi An Xin’s X Lab released an article titled “The Shadow Over the Set-Top Box: Unveiling the Mysterious Black and Gray Market Group Bigpanzi After 8 Years” [7]. It introduced a team that exploited set-top box vulnerabilities to turn victims into PCDN nodes. Utilizing PCDN technology to build content distribution networks significantly reduces data center costs and offers better monetization methods for terminals controlled by black and gray market organizations. This indicates that the use of PCDN technology for illegal activities by these organizations has become a trend.

To evade operator crackdowns, profit-seeking PCDN manufacturers extensively hijack downstream traffic from other websites, causing significant losses to website operators. To cater to the needs of PCDN manufacturers seeking to avoid detection by operators, platforms like Idle Fish and Taobao have seen a surge in merchants offering paid services/tutorials for hijacking downstream traffic.

These merchants directly violate Article 27 of the “Cybersecurity Law of the People’s Republic of China” [8], making themselves de facto practitioners in the black and gray markets.

Event Analysis

The demand from internet companies for affordable content acceleration services has driven rapid expansion in the PCDN industry, which has significantly impacted operators’ interests. Operators’ crackdown on PCDN node networks has prompted PCDN manufacturers to aggressively hijack downstream traffic. This hijacking behavior has led to frequent occurrences of such CC attacks.

Analysis of Targets Attacked

To conduct a more comprehensive and in-depth analysis of the impact of this CC attack event, the 404 Active Defense Lab relied on the ZhiDaoChuYu Cloud Defense Platform to analyze all data from October 3, 2024, 00:00:00 to October 13, 2024, 00:00:00. A total of 180 domains and 1,127 URLs were found to have been subjected to hijacked traffic, accumulating 51,903,872 visits and 35.89TB of hijacked traffic. According to calculations, without access to the defense platform, these domains would have been subjected to 8,076.73TB of hijacked traffic. The defense platform filtered out 99.56% of malicious traffic, effectively maintaining the normal operation of the aforementioned websites.

Among the 180 attacked domains, 90 belong to government agencies, 38 to private enterprises, and 26 to state-owned enterprises, accounting for 50%, 21.11%, and 14.44% respectively. The 116 domains belonging to government agencies and state-owned enterprises accumulated 37,083,261 visits and 31.75TB of hijacked traffic, accounting for 71.45% of total visits and 88.46% of total hijacked traffic.

Upon analyzing the attacked URLs, it was found that video (mp4) files were the most frequently hijacked, totaling 33,904,968 times, which accounted for 65.32% of the total incidents.

Video files, typically characterized by their large file sizes and minimal access restrictions, are the preferred targets for PCDN manufacturers to hijack downstream traffic. During the statistical period, video (mp4) files accumulated a total of 28.19TB of hijacked traffic, accounting for 81.32% of the total.

Attack IP Analysis

During the analysis period, a total of 1,362 attack IPs were identified. These IPs generated 33,979,894 visits and 12.71TB of traffic.

Analyzing the geolocation of these 1,362 attack IPs revealed that most of them came from Guangdong and Shandong, accounting for 34.5% and 27.8% of the total, respectively.

A group of PCDN nodes controlled by the same PCDN manufacturer, to facilitate management and hijack downstream traffic, should exhibit similar visit frequencies and geographic locations. By analyzing the visit frequency variations and geolocations of the attack IPs, two groups of IPs with similar visit frequency trends and identical geographic locations were identified. Hence, it is concluded that these two groups of IPs are controlled by professional PCDN manufacturers.

Serial NumberIPListGeographic LocationAccess Frequency1182.xx.xx.13,182.xx.xx.16,182.xx.xx.17,182.xx.xx.18Qingdao, Shandong, ChinaThe access from this group of IPs is primarily concentrated between 12:00 and 24:00.2182.xx.xx.10,182.xx.xx.15,182.xx.xx.19,182.xx.xx.2,182.xx.xx.20,182.xx.xx.21,182.xx.xx.3,182.xx.xx.4,182.xx.xx.42,182.xx.xx.43,182.xx.xx.44,182.xx.xx.46,182.xx.xx.5,182.xx.xx.50,182.xx.xx.51,182.xx.xx.52,182.xx.xx.53,182.xx.xx.54,182.xx.xx.55,182.xx.xx.56,182.xx.xx.57,182.xx.xx.58,182.xx.xx.59,182.xx.xx.6,182.xx.xx.7,182.xx.xx.70,182.xx.xx.71,182.xx.xx.8,182.xx.xx.9Qingdao, Shandong, ChinaThe access from this group of IPs is primarily concentrated between 0:00 and 20:00.

Upon analyzing these two groups of IPs using the Knownsec security intelligence platform, it was found that all their threat levels were classified as low, they were all operated by China Telecom, and they all carried the HTTP proxy tag.

IPThreat LevelTagsGeographic LocationOperator182.xx.xx.9LowHTTP ProxyQingdao, ShandongTelecom182.xx.xx.8LowHTTP ProxyQingdao, ShandongTelecom182.xx.xx.71LowHTTP ProxyQingdao, ShandongTelecom182.xx.xx.70LowHTTP ProxyQingdao, ShandongTelecom182.xx.xx.7LowHTTP ProxyQingdao, ShandongTelecom182.xx.xx.6LowHTTP ProxyQingdao, ShandongTelecom182.xx.xx.59LowHTTP ProxyQingdao, ShandongTelecom182.xx.xx.58LowHTTP ProxyQingdao, ShandongTelecom182.xx.xx.57LowHTTP ProxyQingdao, ShandongTelecom182.xx.xx.56LowHTTP ProxyQingdao, ShandongTelecom182.xx.xx.55LowHTTP ProxyQingdao, ShandongTelecom182.xx.xx.54LowHTTP ProxyQingdao, ShandongTelecom182.xx.xx.53LowHTTP ProxyQingdao, ShandongTelecom182.xx.xx.52LowHTTP ProxyQingdao, ShandongTelecom182.xx.xx.51LowHTTP ProxyQingdao, ShandongTelecom182.xx.xx.50LowHTTP ProxyQingdao, ShandongTelecom182.xx.xx.5LowHTTP ProxyQingdao, ShandongTelecom182.xx.xx.44LowHTTP ProxyQingdao, ShandongTelecom182.xx.xx.43LowHTTP ProxyQingdao, ShandongTelecom182.xx.xx.42LowHTTP ProxyQingdao, ShandongTelecom182.xx.xx.4LowHTTP ProxyQingdao, ShandongTelecom182.xx.xx.3LowHTTP ProxyQingdao, ShandongTelecom182.xx.xx.21LowHTTP ProxyQingdao, ShandongTelecom182.xx.xx.20LowHTTP ProxyQingdao, ShandongTelecom182.xx.xx.2LowHTTP ProxyQingdao, ShandongTelecom182.xx.xx.19LowHTTP ProxyQingdao, ShandongTelecom182.xx.xx.18LowHTTP ProxyQingdao, ShandongTelecom182.xx.xx.17LowHTTP ProxyQingdao, ShandongTelecom182.xx.xx.16LowHTTP ProxyQingdao, ShandongTelecom182.xx.xx.15LowHTTP ProxyQingdao, ShandongTelecom182.xx.xx.14LowHTTP ProxyQingdao, ShandongTelecom182.xx.xx.13LowHTTP ProxyQingdao, ShandongTelecom182.xx.xx.10LowHTTP ProxyQingdao, ShandongTelecom

PCDN nodes controlled by PCDN manufacturers are typically aimed at earning revenue from PCDN traffic. They need to avoid high-risk attack behaviors to prevent being identified as malicious IPs by major security vendors, which would render the PCDN nodes unusable.

These IPs share the same geographic location and ISP, exhibit no high-risk attack behaviors, and all showed large-scale concentrated access in September and October of this year. These characteristics fully align with the behavioral traits of PCDN nodes under the control of PCDN manufacturers.

Analysis of Attacker User-Agent Characteristics

During the analysis period, several abnormal User-Agents were identified.

Serial NumberUser-AgentAccess Statistics1Empty User-Agent54821102Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)48580013Wget/1.14 (linux-gnu)5927

Empty User-Agent: When normal users access a site, regardless of the device or browser used, this field should not be empty. An empty User-Agent typically appears in automated scripts; therefore, it is considered an anomaly.

Outdated Client: Firefox/3.6.3 was released in 2010 and has undergone numerous updates since then. Its presence should be minimal now. However, during the analysis period, there were 4.85 million access requests with the header “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)”. This User-Agent header is considered anomalous.

User-Agents of Tools like Wget: Ordinary users typically do not use tools like wget or curl to access client websites. Conversely, many tutorials on hijacking downstream traffic involve using tools like wget and curl. Therefore, the User-Agent header “Wget/1.14 (linux-gnu)” is considered anomalous.

Source Tracing Analysis

Analyzing the associated IPs extracted earlier, it was found that they are linked to a certain cloud provider.

A Certain Cloud Provider

Upon analyzing the previously mentioned IPs, it was discovered that they all originate from the Qingdao, Shandong network segment 182.*.64.0/24, generating over 500,000 accesses in total.

Through ZoomEye’s mapping data, it was found that the SSL certificates bound to the above IPs were all issued for dxxx.kxxx.com.

Upon conducting a domain registration lookup, it was discovered that kxxx.com belongs to a certain cloud network technology company.

Additionally, upon querying the organizational structure of the cloud company, it was found that its subsidiary, a certain Cloud Edge Computing Technology Company, operates a PCDN business.

Subsequently, we found that the cloud provider was recruiting PCDN R&D engineers on a job recruitment platform, which indirectly indicates that its PCDN business is indeed operating normally.

Conclusion

PCDN manufacturers control user terminals through software backdoors or entice individual users to install PCDN node software/hardware with bounties, building content distribution networks for sale and thereby reaping substantial profits. Where there is profit, there will be disputes. The conflict of interests has led operators to vigorously crack down on PCDN networks, while PCDN manufacturers, in order to evade detection by operators, rampantly hijack downstream traffic. In the confrontation between operators and PCDN manufacturers, a complete upstream and downstream industry chain has gradually emerged.

Through the analysis of this incident, we found that the IPs hijacked by PCDN have the following characteristics:

1. Request targets are mostly large data files such as audio and video files, compressed packages, and image files;
2. They exhibit similar time period characteristics and identical geographic locations of IP addresses;
3. Most have the same User-Agent or group of User-Agents and Referer.

In response to the current CC attacks initiated by PCDN manufacturers, we offer the following protective suggestions:

1. Configure security policies on relevant protection devices;
2. It is recommended to separately limit the access frequency for audio and video files, font files, and compressed packages larger than 20MB;
3. It is advised that source servers also implement a circuit breaker mechanism, setting access flow limits based on normal circumstances.

References

[1] https://sh.189.cn/newmall/static/30010004/109295.html?undefined
[2] https://www.shkd.cc/
[3] https://www.iqiyi.com/common/loginProtocol.html
[4] https://zm.sparenode.com/
[5] http://www.cww.net.cn/article?id=591786
[6] https://www.txrjy.com/thread-1334816-1-1.html
[7] https://blog.xlab.qianxin.com/unveiling-the-mystery-of-bigpanzi/
[8] https://www.gov.cn/xinwen/2016-11/07/content_5129723.htm
[9] https://www.gov.cn/gongbao/content/2000/content_60531.htm
[10] https://www.miit.gov.cn/jgsj/xgj/gzdt/art/2020/art_6dd0e345bc3947b2a7c88509c4951cd0.html