Interesting Point of view - Russian police and RIPE accused of aiding RBN

noc acrino noc.akrino at
Sun Nov 8 10:27:34 UTC 2009

2009/11/6 Jeffrey Lyon <jeffrey.lyon at>

>  The primary issue is that we receive a fair
> deal of customers who end up with wide scale DDoS attacks followed by
> an offer for "protection" to move to your network. In almost every
> case the attacks cease once the customer has agreed to pay this
> "protection" fee. Every one of these attacks was nearly identical in
> signature.

By the way, Jeffrey, we can provide reports on HTTP-flood because our system
builds it's signatures on http traffic dumps like

=== IP:, last receiving time: 2009-10-25T23:07:37+03:00, many
identical requests (length 198):
GET / HTTP/1.1
Accept: */*
Accept-language: en-us
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:
Gecko/20061204 Firefox/
Host: [censored]
Connection: Keep-Alive

So using this info we can map botnets, learn different attacks and in
collaboration with ISPs - find CCs of new botnets. And what are your
accusations of the identical signatures based on when simple Staminus
resellers (like you are) do not have access to their signatures database?


Akrino Abuse Team

More information about the NANOG mailing list