"Defensive" BGP hijacking?
sryan at arbor.net
Tue Sep 13 18:28:19 UTC 2016
What would you have done if the personal harassment didn't stop? What would you have done if they simply switched to a new source range/different set of bots?
Seems like a very slippery slope to me.
Spencer Ryan | Senior Systems Administrator | sryan at arbor.net<mailto:sryan at arbor.net>
+1.734.794.5033 (d) | +1.734.846.2053 (m)
From: NANOG <nanog-bounces at nanog.org> on behalf of Bryant Townsend <bryant at backconnect.com>
Sent: Tuesday, September 13, 2016 3:22:43 AM
To: nanog at nanog.org
Subject: Re: "Defensive" BGP hijacking?
I would like to give as much insight as I can in regards to the BGP hijack
being discussed in this thread. I won’t be going into specific details of
the attack, but we do plan to release more information on our website when
we are able to. I also wanted to let Hugo (who started the thread) know
that we harbor no hard feelings about bringing this topic up, as it is
relevant to the community and does warrant discussion. Hugo, you may owe me
a beer the next time we meet. :)
We agree with others that NANOG is the most appropriate venue to answer any
questions and discuss the topic at hand. I have been attending NANOG for
the past 3-4 years, and I can assure you that it is of the utmost
importance to me how the community views my company, my employees, and
myself. There are many people in this community that I personally have the
upmost respect for, and it would sadden me If I were to lose the respect of
mentors, colleagues, and friends by not responding. That being said, I
think there are a fair number of people in NANOG that would vouch for my
character and ethics relating to the intent of my actions, even if I were
to remain silent. I would also like to preface that my explanation of the
events that occurred and actions taken by BackConnect are not to justify or
provide excuses. My goal is to simply show what happened and give insight
into our actions.
I will start with a little background to bring anyone up to speed that is
not aware of the events that transpired.
*About the company, BackConnect, Inc.*: We are a new (~4 months old)
open-sourced based DDoS mitigation and network security provider that
specializes in custom intrusion detection and prevention systems. We also
provide threat intelligence services, with an emphasis on active botnets,
new and upcoming DDoS attack patterns, and boot services. From time to
time, this information flows through our network for collection purposes.
*Events leading to the Hijack*: On 9/6/2016, ~10:30AM PST, one of our
clients and our website received a large and relatively sophisticated DDoS
attack. The attack targeted entire subnets and peaked over 200 Gbps and
40Mpps. Although the attack was automatically detected and mostly filtered,
there was initially a small leak. In response we quickly applied new
security rules that rendered it entirely ineffective. The attackers
continued to attack our network and client for roughly 6 hours before
*Events that caused us to perform the BGP hijack*: After the DDoS attacks
subsided, the attackers started to harass us by calling in using spoofed
phone numbers. Curious to what this was all about, we fielded various calls
which allowed us to ascertain who was behind the attacks by correlating
e-mails with the information they provided over the phone. Throughout the
day and late into the night, these calls and threats continued to increase
in number. Throughout these calls we noticed an increasing trend of them
bringing up personal information of myself and employees. At this point I
personally filled a police report in preparation to a possible SWATing
attempt. As they continued to harass our company, more and more red flags
indicated that I would soon be targeted. This was the point where I decided
I needed to go on the offensive to protect myself, my partner, visiting
family, and my employees. The actions proved to be extremely effective, as
all forms of harassment and threats from the attackers immediately stopped.
In addition to our main objective, we were able to collect intelligence on
the actors behind the bot net as well as identify the attack servers used
by the booter service.
*Afterthoughts*: The decision to hijack the attackers IP space was not
something I took lightly. I was fully aware there were services that
reported such actions and knew that this could potentially be brought up in
discussion and hurt BackConnect’s image. Even though we had the capacity to
hide our actions, we felt that it would be wrong to do so. I have spent a
long time reflecting on my decision and how it may negatively impact the
company and myself in some people’s eyes, but ultimately I stand by it. The
experience and feedback I have gained from these events has proven
invaluable and will be used to shape the policies surrounding the future
handling of similar situations. I am happy to field questions, but cannot
promise any answers, disclosure of further information, or when they will
be responded to.
More information about the NANOG