Interesting Point of view - Russian police and RIPE accused of aiding RBN

Jeffrey Lyon jeffrey.lyon at
Sun Nov 8 20:01:57 UTC 2009


We're not a Staminus reseller. Please do your homework: .

I'm not going to hold court on whether or not you or your resellers
are DDoSing competitor's customers, I was merely stating my opinion.
The reader can draw their own conclusion. I think your network is
blackhat, you say it's not. I say your entire network has minimal
legitimate traffic and you say you have a diverse customer base. The
way I see it right now:

- You're an anonymous BVI company with no physical location
- This Computerworld article is referring to Akrino:
I was consulted on this article before it went to print and i'll put
my reputation on that.
- All of the sites on Akrino around early 2008 were on NEAVE LIMITED
until shutdown by uplink Eltel. They all came back up under Akrino
uplink to Anders (AS39792).
- has one actual company with legitimate commercially
necessary traffic (will provide a full report if you want to push the
issue) yet is responsible for hundreds of malware infections over the
past 6 months (see again, )
-- The aforementioned company ( was a Black Lotus
customer and had received several days of multi-Gbps DDoS that
subsided only once the customer agreed to use your network
--- Post-DDoS the customer's server began receiving SSH connections
from some former Soviet country (forget which offhand) trying to debug
a reverse proxy (not sure if you/they realize that we filter your
announcements). In the real world DDoS does not stop just hours before
the gaining host goes to setup a proxy.
- The attacks you claim to be filtering would not be possible unless
your connection to AS39792 is 10GE or they're doing the filters for
- The above has occurred at least three times with Akrino, zero times
with better known, respected providers.
- A handful of respected net ops have contacted me off list to confirm
much of this data and provide additional evidence.

Again, these are merely *opinions* and form the foundation of why I
believe Akrino is a black hat network. Perhaps if you didn't have
black hat resellers you wouldn't have this reputation? Maybe you
should reconsider who you allow to resell your network? I don't know
for certain but you need to clean up your network so you don't end up
like Atrivo. Clean up now and everyone wins.


On Sun, Nov 8, 2009 at 5:27 AM, noc acrino <noc.akrino at> wrote:
> 2009/11/6 Jeffrey Lyon <jeffrey.lyon at>
>>  The primary issue is that we receive a fair
>> deal of customers who end up with wide scale DDoS attacks followed by
>> an offer for "protection" to move to your network. In almost every
>> case the attacks cease once the customer has agreed to pay this
>> "protection" fee. Every one of these attacks was nearly identical in
>> signature.
> By the way, Jeffrey, we can provide reports on HTTP-flood because our system
> builds it's signatures on http traffic dumps like
> === IP:, last receiving time: 2009-10-25T23:07:37+03:00, many
> identical requests (length 198):
> GET / HTTP/1.1
> Accept: */*
> Accept-language: en-us
> User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:
> Gecko/20061204 Firefox/
> Host: [censored]
> Connection: Keep-Alive
> So using this info we can map botnets, learn different attacks and in
> collaboration with ISPs - find CCs of new botnets. And what are your
> accusations of the identical signatures based on when simple Staminus
> resellers (like you are) do not have access to their signatures database?
> Kanak
> Akrino Abuse Team

Jeffrey Lyon, Leadership Team
jeffrey.lyon at |
Black Lotus Communications of The IRC Company, Inc.

Platinum sponsor of HostingCon 2010. Come to Austin, TX on July 19 -
21 to find out how to "protect your booty."

More information about the NANOG mailing list