"Defensive" BGP hijacking?
mlfreita at mtu.edu
Tue Sep 13 18:25:36 UTC 2016
+1 to this question.
Bryant, thanks for giving us your side of this story.
Network Engineer I
Michigan Technological University
(906) 487-3696 <%28906%29%20487-3696>
On Tue, Sep 13, 2016 at 12:22 PM, Ca By <cb.list6 at gmail.com> wrote:
> On Tuesday, September 13, 2016, Bryant Townsend <bryant at backconnect.com>
> > Hello Everyone,
> > I would like to give as much insight as I can in regards to the BGP
> > being discussed in this thread. I won’t be going into specific details of
> > the attack, but we do plan to release more information on our website
> > we are able to. I also wanted to let Hugo (who started the thread) know
> > that we harbor no hard feelings about bringing this topic up, as it is
> > relevant to the community and does warrant discussion. Hugo, you may owe
> > a beer the next time we meet. :)
> > We agree with others that NANOG is the most appropriate venue to answer
> > questions and discuss the topic at hand. I have been attending NANOG for
> > the past 3-4 years, and I can assure you that it is of the utmost
> > importance to me how the community views my company, my employees, and
> > myself. There are many people in this community that I personally have
> > upmost respect for, and it would sadden me If I were to lose the respect
> > mentors, colleagues, and friends by not responding. That being said, I
> > think there are a fair number of people in NANOG that would vouch for my
> > character and ethics relating to the intent of my actions, even if I were
> > to remain silent. I would also like to preface that my explanation of
> > events that occurred and actions taken by BackConnect are not to justify
> > provide excuses. My goal is to simply show what happened and give insight
> > into our actions.
> > I will start with a little background to bring anyone up to speed that is
> > not aware of the events that transpired.
> > *About the company, BackConnect, Inc.*: We are a new (~4 months old)
> > open-sourced based DDoS mitigation and network security provider that
> > specializes in custom intrusion detection and prevention systems. We also
> > provide threat intelligence services, with an emphasis on active botnets,
> > new and upcoming DDoS attack patterns, and boot services. From time to
> > time, this information flows through our network for collection purposes.
> > *Events leading to the Hijack*: On 9/6/2016, ~10:30AM PST, one of our
> > clients and our website received a large and relatively sophisticated
> > attack. The attack targeted entire subnets and peaked over 200 Gbps and
> > 40Mpps. Although the attack was automatically detected and mostly
> > there was initially a small leak. In response we quickly applied new
> > security rules that rendered it entirely ineffective. The attackers
> > continued to attack our network and client for roughly 6 hours before
> > giving up.
> > *Events that caused us to perform the BGP hijack*: After the DDoS attacks
> > subsided, the attackers started to harass us by calling in using spoofed
> > phone numbers. Curious to what this was all about, we fielded various
> > which allowed us to ascertain who was behind the attacks by correlating
> > e-mails with the information they provided over the phone. Throughout the
> > day and late into the night, these calls and threats continued to
> > in number. Throughout these calls we noticed an increasing trend of them
> > bringing up personal information of myself and employees. At this point I
> > personally filled a police report in preparation to a possible SWATing
> > attempt. As they continued to harass our company, more and more red
> > indicated that I would soon be targeted. This was the point where I
> > I needed to go on the offensive to protect myself, my partner, visiting
> > family, and my employees. The actions proved to be extremely effective,
> > all forms of harassment and threats from the attackers immediately
> > In addition to our main objective, we were able to collect intelligence
> > the actors behind the bot net as well as identify the attack servers used
> > by the booter service.
> > *Afterthoughts*: The decision to hijack the attackers IP space was not
> > something I took lightly. I was fully aware there were services that
> > reported such actions and knew that this could potentially be brought up
> > discussion and hurt BackConnect’s image. Even though we had the capacity
> > hide our actions, we felt that it would be wrong to do so. I have spent a
> > long time reflecting on my decision and how it may negatively impact the
> > company and myself in some people’s eyes, but ultimately I stand by it.
> > experience and feedback I have gained from these events has proven
> > invaluable and will be used to shape the policies surrounding the future
> > handling of similar situations. I am happy to field questions, but cannot
> > promise any answers, disclosure of further information, or when they will
> > be responded to.
> > Sincerely,
> > Bryant Townsend
> Will you do the bgp hijacking in the future: yes or no?
More information about the NANOG