ORB Networks and the Slow Death of the IP Blocklist
For about fifteen years the egress IP was the closest thing intrusion analysts had to a fingerprint. You pulled the source address out of the firewall logs, ran it against intel, checked the ASN and the geo, and you had a thread to pull. Block the /24, push the indicator to the SIEM watchlist, ship it to the ISAC, move on. That whole workflow is quietly coming apart, and operational relay box networks are a big part of why.
Mandiant put a blunt name on it in May 2024: “IOC Extinction?” The report is worth reading in full, but the load-bearing claim is this: an IPv4 address tied to an ORB node can live in the network for as few as 31 days, and cycling a large share of infrastructure monthly is a selling point among the contractors who run these things. That’s their own number, not a journalist’s paraphrase. If your block lists and indicator feeds refresh slower than the adversary rotates exit nodes, you are defending against last month’s infrastructure.
What an ORB actually is
Strip the marketing and an ORB network is a proxy mesh that sits between an APT operator and the victim. Mandiant describes them as the love-child of a VPN and a botnet, and that’s about right. Compromised SOHO routers and IoT junk on one side, leased VPS nodes on the other, a customized TOR layer in some of them, traffic relayed across the pool so the entry point is masked and the exit node lands somewhere geographically boring relative to the target.
The part that breaks the old playbook is ownership. These networks are run by independent contractors inside the PRC, not by the APT crews using them. One mesh, many tenants. Mandiant tracks ORB3 / SPACEHOP as a provisioned (leased-VPS) network used by APT5 and APT15 for recon and exploitation — a SPACEHOP node was used to hit CVE-2022-27518 on Citrix gear in late 2022. ORB2 / FLORAHOX is the messier hybrid: an ACOS control node, compromised Cisco, ASUS, and Draytek end-of-life routers, leased VPS, and a TOR relay layer stitched together, with router implants like FLOWERWATER recruiting new nodes and a MIPS tunneler (PETALTOWER) driven by bash scripts handling traversal. Multiple actors, including activity tracked as APT31, reported using it.
So when you see the egress IP, you might be able to say “that’s a FLORAHOX node.” You generally cannot say which intelligence service was driving it that day. Attribution by infrastructure is dead at the IP layer, and the weaponization phase has effectively been outsourced.
Why blocking the IP fails three different ways
The rotation problem is the obvious one. Block an exit node and it ages out of the mesh before your detection content even gets reviewed in change control. You’re not wrong to block it. You’re just always late, and the list grows without bound.
The second failure is uglier: a lot of these nodes are residential. The 911 S5 takedown in May 2024 is the clean illustration of the scale here — per DOJ, that residential proxy service spanned over 19 million unique IP addresses across more than 190 countries, with 613,841 of them in the United States. Those were real people’s Windows machines, infected through sketchy free-VPN installers (MaskVPN, DewVPN, ProxyGate, and friends). Now picture blocking a residential ASN because one address in it relayed an attack. You just blocked a chunk of your actual customers, and the support tickets land on someone else’s desk an hour later. The adversary already knew that. Hiding malicious traffic inside genuine residential noise is the whole point.
Third, the ASN move doesn’t save you either. The instinct after the rotation problem sinks in is to stop blocking IPs and start blocking hosting ASNs — OVH, Stark Industries, the cheap-VPS crowd that shows up heavily in the SPACEHOP composition data. Fine for the provisioned half. Useless for the non-provisioned half riding compromised SOHO gear on Comcast and BT and Telekom. You cannot blanket-block consumer broadband ASNs and stay employed.
Flax Typhoon / Raptor Train is the case that ties it together. The September 2024 joint advisory from FBI, NSA, and Cyber National Mission Force (with the other Five Eyes) put the botnet at over 260,000 devices as of June 2024, run by Beijing-based Integrity Technology Group, with a backend database holding 1.2 million compromised-device records and more than 385,000 unique U.S. victim devices. Mirai variant, SOHO routers and IP cameras and NAS boxes, the usual end-of-life soup. Treasury sanctioned Integrity Tech in January 2025. The infrastructure is enormous, disposable, and shaped to look like residential background radiation. No blocklist keeps pace with that.
Stop attributing the pipe. Watch the behavior at the ends.
Mandiant’s prescription is to track ORB networks as evolving entities with their own TTPs rather than as inert indicators — fingerprint the node behavior (open ports, services, JARM/TLS characteristics, hosting and registration patterns) and treat the mesh like you’d treat an APT. That’s correct for a threat-intel team with the headcount to do it. Most shops don’t have that. For the people actually running detections, the practical pivot is to move the decision off the source IP and onto two things the proxy can’t easily fake: identity and behavior at the endpoints of the connection.
Identity first, because it’s the strongest signal you control. If an authentication lands from a residential IP in the same city as the user, geo-velocity and “impossible travel” rules do nothing — that’s exactly the geography ORBs pick on purpose. What still bites is the credential-plus-device binding. In Entra ID, Conditional Access with a managed-device requirement (compliant or Hybrid Azure AD joined) plus phishing-resistant auth means a stolen password relayed through a proxy node still fails because the attacker doesn’t have the device cert or the FIDO2 key. Okta with device trust and a hardware authenticator gets you to the same place. The IP became irrelevant, which is the point — you stopped trusting the network and started trusting the cryptographic proof. This is the AC and IA families doing the work that SC at the perimeter no longer can.
For non-interactive traffic — the edge-device exploitation ORBs are built to proxy — identity means mutual TLS and workload identity between your own services, so a relayed request from outside the trust boundary has no valid client cert and dies at the handshake. Brittle in exactly one predictable way: the day a cert expires unnoticed, something load-bearing goes dark at 0300 and the on-call gets paged for what looks like an outage, not a security event.
Behavior second. This is where you catch the stuff identity misses, and where the false-positive math gets real.
TLS fingerprinting (JA3, or JA4 if your stack emits it) is the usual first reach. The idea: the implant’s TLS client stack fingerprints differently from a browser, regardless of which exit IP it came from. It works, with caveats the vendors gloss over. JA3 collides constantly because half the internet uses the same handful of TLS libraries, so a raw JA3 match is a lead, not a verdict. JA4 is better but you need the sensor and the index field to actually carry it — and if you’re on Zeek feeding Splunk, confirm the ssl.ja4 field is populated before you write content against it, because a rule keyed on a field that’s silently null fires zero times and looks like “all clear.”
The higher-value behavioral signals are at the data layer. Outbound volume anomalies per host. A workstation that suddenly speaks to an external endpoint on a long-lived connection it’s never used. Beaconing periodicity. The detections that survive contact with an ORB are the ones watching what leaves your network and how, not where it appears to come from.
| Old reflex | What it assumes | Why ORBs break it | Where to move the control |
|---|---|---|---|
| Block source IP / push IOC | Infra is stable and actor-owned | ~31-day node lifespan; shared by many tenants | Egress behavior + identity (SI, IA) |
| Block hosting ASN | Adversary uses cheap VPS | Half the mesh rides residential ISPs | Device-bound auth (AC, IA) |
| Geo-velocity on logins | Attacker egresses far from user | Exit node sits in the user’s own city | Phishing-resistant MFA + device trust (IA, AC) |
| Perimeter allow/deny lists | Trust follows the network | Traffic blends into legit residential noise | Workload identity / mTLS (SC, IA) |
The telemetry bill comes due
None of this is free, and anyone selling it as a clean swap is lying. Egress flow logging and full TLS metadata at line rate is expensive to retain — you’ll be making hot-versus-cold tradeoffs on netflow and Zeek conn logs inside the first quarter, and the beaconing detection you want needs a long enough lookback window to see the period, which fights directly with your retention budget.
The false-positive load is the part that floods the SOC. Behavioral egress rules that look surgical in a lab light up the moment they meet a real network full of software-update CDNs, telemetry agents phoning home, and that one finance app that opens a persistent connection to a vendor nobody documented. Expect the first tuning pass to be mostly carve-outs, and expect a good chunk of your “new external destination” alerts to resolve as a SaaS vendor that changed CDNs. The signal is in there. It’s just downstream of a few weeks of allowlist grooming, and the rule will need re-grooming every time a major vendor shuffles infrastructure.
Time skew matters more than people expect here too. Beaconing analysis and cross-host correlation fall apart when your router and IoT-adjacent log sources are 40 seconds off because NTP was never configured on the edge gear. Fix clock discipline before you trust periodicity math. This is unglamorous AU and SI hygiene and it’s the difference between a working detection and a confidently wrong one.
Keep the IP blocklist. It still catches the lazy, the commodity, and the reused. Just demote it from primary control to speed bump, and stop measuring your program by how many indicators are in the deny list. Against a mesh engineered to be disposable, that number is vanity. The controls that hold are the ones that don’t care what the source IP claims to be: cryptographic identity at authentication, workload identity between services, and behavioral analytics watching the data leave. Everything else is you blocking last month’s routers while the contractor spins up next month’s.
Sources
- IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders (Google Cloud / Mandiant)
- An Introduction to Operational Relay Box (ORB) Networks (Team Cymru)
- People’s Republic of China-Linked Actors Compromise Routers and IoT Devices for Botnet Operations (Department of Defense / NSA-FBI-CNMF advisory PDF)
- Court-Authorized Operation Disrupts Worldwide Botnet Used by People’s Republic of China State-Sponsored Hackers (U.S. Department of Justice)
- 911 S5 Botnet Dismantled and Its Administrator Arrested in Coordinated International Operation (U.S. Department of Justice)
- Guidance on the 911 S5 Residential Proxy Service (FBI IC3)
- US Treasury office sanctions firm connected to state-sponsored Flax Typhoon threat group (Cybersecurity Dive)
- State hackers turn to massive ORB proxy networks to evade detection (BleepingComputer)
- FBI joint operation takes down massive Chinese botnet, Wray says (CyberScoop)
- Chinese Hackers Rely on Covert Proxy Networks to Evade Detection (Infosecurity Magazine)