"Defensive" BGP hijacking?
cb.list6 at gmail.com
Tue Sep 13 16:22:29 UTC 2016
On Tuesday, September 13, 2016, Bryant Townsend <bryant at backconnect.com>
> Hello Everyone,
> I would like to give as much insight as I can in regards to the BGP hijack
> being discussed in this thread. I won’t be going into specific details of
> the attack, but we do plan to release more information on our website when
> we are able to. I also wanted to let Hugo (who started the thread) know
> that we harbor no hard feelings about bringing this topic up, as it is
> relevant to the community and does warrant discussion. Hugo, you may owe me
> a beer the next time we meet. :)
> We agree with others that NANOG is the most appropriate venue to answer any
> questions and discuss the topic at hand. I have been attending NANOG for
> the past 3-4 years, and I can assure you that it is of the utmost
> importance to me how the community views my company, my employees, and
> myself. There are many people in this community that I personally have the
> upmost respect for, and it would sadden me If I were to lose the respect of
> mentors, colleagues, and friends by not responding. That being said, I
> think there are a fair number of people in NANOG that would vouch for my
> character and ethics relating to the intent of my actions, even if I were
> to remain silent. I would also like to preface that my explanation of the
> events that occurred and actions taken by BackConnect are not to justify or
> provide excuses. My goal is to simply show what happened and give insight
> into our actions.
> I will start with a little background to bring anyone up to speed that is
> not aware of the events that transpired.
> *About the company, BackConnect, Inc.*: We are a new (~4 months old)
> open-sourced based DDoS mitigation and network security provider that
> specializes in custom intrusion detection and prevention systems. We also
> provide threat intelligence services, with an emphasis on active botnets,
> new and upcoming DDoS attack patterns, and boot services. From time to
> time, this information flows through our network for collection purposes.
> *Events leading to the Hijack*: On 9/6/2016, ~10:30AM PST, one of our
> clients and our website received a large and relatively sophisticated DDoS
> attack. The attack targeted entire subnets and peaked over 200 Gbps and
> 40Mpps. Although the attack was automatically detected and mostly filtered,
> there was initially a small leak. In response we quickly applied new
> security rules that rendered it entirely ineffective. The attackers
> continued to attack our network and client for roughly 6 hours before
> giving up.
> *Events that caused us to perform the BGP hijack*: After the DDoS attacks
> subsided, the attackers started to harass us by calling in using spoofed
> phone numbers. Curious to what this was all about, we fielded various calls
> which allowed us to ascertain who was behind the attacks by correlating
> e-mails with the information they provided over the phone. Throughout the
> day and late into the night, these calls and threats continued to increase
> in number. Throughout these calls we noticed an increasing trend of them
> bringing up personal information of myself and employees. At this point I
> personally filled a police report in preparation to a possible SWATing
> attempt. As they continued to harass our company, more and more red flags
> indicated that I would soon be targeted. This was the point where I decided
> I needed to go on the offensive to protect myself, my partner, visiting
> family, and my employees. The actions proved to be extremely effective, as
> all forms of harassment and threats from the attackers immediately stopped.
> In addition to our main objective, we were able to collect intelligence on
> the actors behind the bot net as well as identify the attack servers used
> by the booter service.
> *Afterthoughts*: The decision to hijack the attackers IP space was not
> something I took lightly. I was fully aware there were services that
> reported such actions and knew that this could potentially be brought up in
> discussion and hurt BackConnect’s image. Even though we had the capacity to
> hide our actions, we felt that it would be wrong to do so. I have spent a
> long time reflecting on my decision and how it may negatively impact the
> company and myself in some people’s eyes, but ultimately I stand by it. The
> experience and feedback I have gained from these events has proven
> invaluable and will be used to shape the policies surrounding the future
> handling of similar situations. I am happy to field questions, but cannot
> promise any answers, disclosure of further information, or when they will
> be responded to.
> Bryant Townsend
Will you do the bgp hijacking in the future: yes or no?
More information about the NANOG