In a recent post, Brian Krebs discussed a technique for disrupting 8chan, a controversial message board. Ron Guilmette, a security researcher, spotted that N.T. Technology, the hosting company owned by 8chan’s current operator, no longer has the right to transact business as it is in the “administrative hold” state. ARIN, the Internet registry N.T. Technology obtained its IP address allocation from, would be within its rights to reclaim the IP address space.
Ron Guilmette is an expert in this type of analysis - last year he discovered the theft of $50 million worth of IP addresses in AFRINIC’s service region.
However, taking down 8chan is unlikely to be as simple as requesting that ARIN deallocates its IP address space. After deallocation, the IP addresses may continue to be advertised as fullbogons - netblocks that are used on the Internet despite not being assigned to an end user. While some Internet service providers do block fullbogons, this is by no means universal.
Furthermore, 8chan’s main domain name, 8kun.top, is not currently hosted on N.T. Technology’s infrastructure, so would not be affected by ARIN deallocating N.T. Technology’s address space. It currently resolves to 220.127.116.11, which belongs to a netblock delegated to VanwaTech. VanwaTech, also known as OrcaTech, is a hosting company based in Vancouver, Washington and owned by Nick Lim. Nick Lim previously served as the CTO of Epik for a short period of time, a hosting company that briefly hosted 8chan after Cloudflare terminated its contract with 8chan.
VanwaTech’s netblock is also home to:
- The Daily Stormer, a neo-Nazi publication.
- A number of sites related to QAnon, a conspiracy theory linked to 8chan.
- Gamer Uprising, a forum containing, among other content, threads discussing Daily Stormer articles.
VanwaTech operates its own autonomous system (AS398088), whose only upstream provider is Spartan Host Ltd (AS201106), a hosting company registered in Northern Ireland with its origins in Minecraft server hosting.
Measuring the round-trip time from a RIPE Atlas probe known to be located in Sabey’s Intergate.Seattle datacentre to 8chan’s IP reveals that 8chan is hosted just 0.501 milliseconds away - less than 31 miles at the typical speed of light in an optical fibre, and likely to be significantly closer after taking packet switching delays into account.
One of Spartan Host’s colocation providers is Wowrack, which is also based in Sabey’s Seattle datacentre. Combined with the short round-trip time, it is likely that VanwaTech, and therefore 8chan, is also located in Sabey’s datacentre.
While Spartan Host has several transit providers, it currently only advertises VanwaTech’s route to DDoS-Guard (AS57724), a Russian denial-of-service protection company that also provides service to the Club2CRD and Joker’s Stash carding sites. Spartan Host started routing VanwaTech’s traffic via DDoS-Guard after CNServers terminated its relationship with Spartan Host upon discovering its links to 8chan.
VanwaTech’s founder, Nick Lim, believes that controversial sites like 8chan should not be taken down, citing freedom of speech. Similarly, Spartan Host’s founder, Ryan McCully, confirmed he has no intention of terminating his relationship with VanwaTech in an interview with Brian Krebs. Given reported links between Russia and QAnon, it seems unlikely that DDoS-Guard will come under pressure within Russia for providing transit to 8chan.
However, it is likely that Spartan Host violates Wowrack’s acceptable usage policy, which states that the “transmission […] of content or technology that is illegal, harmful, offensive, defamatory or abusive is prohibited”. It isn’t clear if Wowrack and Sabey are aware of Spartan Host’s relationship with 8chan.