Interesting Point of view - Russian police and RIPE accused of aiding RBN
jeffrey.lyon at blacklotus.net
Sun Nov 8 14:01:57 CST 2009
We're not a Staminus reseller. Please do your homework:
I'm not going to hold court on whether or not you or your resellers
are DDoSing competitor's customers, I was merely stating my opinion.
The reader can draw their own conclusion. I think your network is
blackhat, you say it's not. I say your entire network has minimal
legitimate traffic and you say you have a diverse customer base. The
way I see it right now:
- You're an anonymous BVI company with no physical location
- This Computerworld article is referring to Akrino:
I was consulted on this article before it went to print and i'll put
my reputation on that.
- All of the sites on Akrino around early 2008 were on NEAVE LIMITED
until shutdown by uplink Eltel. They all came back up under Akrino
uplink to Anders (AS39792).
- 22.214.171.124/22 has one actual company with legitimate commercially
necessary traffic (will provide a full report if you want to push the
issue) yet is responsible for hundreds of malware infections over the
past 6 months (see again,
-- The aforementioned company (solidtrustpay.com) was a Black Lotus
customer and had received several days of multi-Gbps DDoS that
subsided only once the customer agreed to use your network
--- Post-DDoS the customer's server began receiving SSH connections
from some former Soviet country (forget which offhand) trying to debug
a reverse proxy (not sure if you/they realize that we filter your
announcements). In the real world DDoS does not stop just hours before
the gaining host goes to setup a proxy.
- The attacks you claim to be filtering would not be possible unless
your connection to AS39792 is 10GE or they're doing the filters for
- The above has occurred at least three times with Akrino, zero times
with better known, respected providers.
- A handful of respected net ops have contacted me off list to confirm
much of this data and provide additional evidence.
Again, these are merely *opinions* and form the foundation of why I
believe Akrino is a black hat network. Perhaps if you didn't have
black hat resellers you wouldn't have this reputation? Maybe you
should reconsider who you allow to resell your network? I don't know
for certain but you need to clean up your network so you don't end up
like Atrivo. Clean up now and everyone wins.
On Sun, Nov 8, 2009 at 5:27 AM, noc acrino <noc.akrino at gmail.com> wrote:
> 2009/11/6 Jeffrey Lyon <jeffrey.lyon at blacklotus.net>
>> The primary issue is that we receive a fair
>> deal of customers who end up with wide scale DDoS attacks followed by
>> an offer for "protection" to move to your network. In almost every
>> case the attacks cease once the customer has agreed to pay this
>> "protection" fee. Every one of these attacks was nearly identical in
> By the way, Jeffrey, we can provide reports on HTTP-flood because our system
> builds it's signatures on http traffic dumps like
> === IP: 126.96.36.199, last receiving time: 2009-10-25T23:07:37+03:00, many
> identical requests (length 198):
> GET / HTTP/1.1
> Accept: */*
> Accept-language: en-us
> User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:188.8.131.52)
> Gecko/20061204 Firefox/184.108.40.206
> Host: [censored]
> Connection: Keep-Alive
> So using this info we can map botnets, learn different attacks and in
> collaboration with ISPs - find CCs of new botnets. And what are your
> accusations of the identical signatures based on when simple Staminus
> resellers (like you are) do not have access to their signatures database?
> Akrino Abuse Team
Jeffrey Lyon, Leadership Team
jeffrey.lyon at blacklotus.net | http://www.blacklotus.net
Black Lotus Communications of The IRC Company, Inc.
Platinum sponsor of HostingCon 2010. Come to Austin, TX on July 19 -
21 to find out how to "protect your booty."
More information about the NANOG