Interesting Point of view - Russian police and RIPE accused of aiding RBN

Jeffrey Lyon jeffrey.lyon at blacklotus.net
Sun Nov 8 14:01:57 CST 2009


Kanak,

We're not a Staminus reseller. Please do your homework:
http://webtrace.info/asn/32421 .

I'm not going to hold court on whether or not you or your resellers
are DDoSing competitor's customers, I was merely stating my opinion.
The reader can draw their own conclusion. I think your network is
blackhat, you say it's not. I say your entire network has minimal
legitimate traffic and you say you have a diverse customer base. The
way I see it right now:

- You're an anonymous BVI company with no physical location
- This Computerworld article is referring to Akrino:
http://www.computerworld.com/s/article/9063418/Russian_hosting_network_running_a_protection_racket_researcher_says.
I was consulted on this article before it went to print and i'll put
my reputation on that.
- All of the sites on Akrino around early 2008 were on NEAVE LIMITED
until shutdown by uplink Eltel. They all came back up under Akrino
uplink to Anders (AS39792).
- 91.202.60.0/22 has one actual company with legitimate commercially
necessary traffic (will provide a full report if you want to push the
issue) yet is responsible for hundreds of malware infections over the
past 6 months (see again,
http://google.com/safebrowsing/diagnostic?site=AS:44571 )
-- The aforementioned company (solidtrustpay.com) was a Black Lotus
customer and had received several days of multi-Gbps DDoS that
subsided only once the customer agreed to use your network
--- Post-DDoS the customer's server began receiving SSH connections
from some former Soviet country (forget which offhand) trying to debug
a reverse proxy (not sure if you/they realize that we filter your
announcements). In the real world DDoS does not stop just hours before
the gaining host goes to setup a proxy.
- The attacks you claim to be filtering would not be possible unless
your connection to AS39792 is 10GE or they're doing the filters for
you.
- The above has occurred at least three times with Akrino, zero times
with better known, respected providers.
- A handful of respected net ops have contacted me off list to confirm
much of this data and provide additional evidence.

Again, these are merely *opinions* and form the foundation of why I
believe Akrino is a black hat network. Perhaps if you didn't have
black hat resellers you wouldn't have this reputation? Maybe you
should reconsider who you allow to resell your network? I don't know
for certain but you need to clean up your network so you don't end up
like Atrivo. Clean up now and everyone wins.

Jeff



On Sun, Nov 8, 2009 at 5:27 AM, noc acrino <noc.akrino at gmail.com> wrote:
> 2009/11/6 Jeffrey Lyon <jeffrey.lyon at blacklotus.net>
>>
>>  The primary issue is that we receive a fair
>> deal of customers who end up with wide scale DDoS attacks followed by
>> an offer for "protection" to move to your network. In almost every
>> case the attacks cease once the customer has agreed to pay this
>> "protection" fee. Every one of these attacks was nearly identical in
>> signature.
>
> By the way, Jeffrey, we can provide reports on HTTP-flood because our system
> builds it's signatures on http traffic dumps like
>
> === IP: 88.246.76.65, last receiving time: 2009-10-25T23:07:37+03:00, many
> identical requests (length 198):
> GET / HTTP/1.1
> Accept: */*
> Accept-language: en-us
> User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1)
> Gecko/20061204 Firefox/2.0.0.1
> Host: [censored]
> Connection: Keep-Alive
>
> So using this info we can map botnets, learn different attacks and in
> collaboration with ISPs - find CCs of new botnets. And what are your
> accusations of the identical signatures based on when simple Staminus
> resellers (like you are) do not have access to their signatures database?
>
> Kanak
>
> Akrino Abuse Team
>



-- 
Jeffrey Lyon, Leadership Team
jeffrey.lyon at blacklotus.net | http://www.blacklotus.net
Black Lotus Communications of The IRC Company, Inc.

Platinum sponsor of HostingCon 2010. Come to Austin, TX on July 19 -
21 to find out how to "protect your booty."




More information about the NANOG mailing list