CyberBunker 2.0 -- A Domain and Traffic Perspective on a Bulletproof Hoster

In September 2019, 600 armed German cops seized the physical premise of a Bulletproof Hoster (BPH) referred to as CyberBunker 2.0. The hoster resided in a decommissioned NATO bunker and advertised to host everything but child porn and anything related to terrorism while keeping servers online no matter what. While the anatomy, economics and interconnection-level characteristics of BPHs are studied, their traffic characteristics are unknown. In this poster, we present the first analysis of domains, web pages, and traffic captured at a major tier-1 ISP and a large IXP at the time when the CyberBunker was in operation. Our study sheds light on traffic characteristics of a BPH in operation. We show that a traditional BGP-based BPH identification approach cannot detect the CyberBunker, but find characteristics from a domain and traffic perspective that can add to future identification approaches.