"Defensive" BGP hijacking?

Bryant Townsend bryant at backconnect.com
Wed Sep 21 04:28:50 UTC 2016


Hello,

We wanted to clarify that we are not the ones behind these attacks and we
were not the ones behind the previous hijackings. We have also been the
targets of DDoS attacks reaching up to 200+ Gbps (~20 times a day), every
day since Krebs' original article that included our name. We believe these
attacks are coming from vDOS past customers and other botnets that used the
vDOS service for launching and selling attacks. We have also been targeted
with what seems to be multiple e-mail list bombs in attempts to delay our
response time. As I mentioned before, NANOG's trust means everything in
this industry and we want to be able to answer as much as we can.

Sincerely,
Bryant Townsend

On Tue, Sep 20, 2016 at 8:28 PM, Tom Beecher <beecher at beecher.cc> wrote:

> Brian Krebs tweeted out that Prolexic reported a 665Gbps attack directed at
> his site.
>
> https://twitter.com/briankrebs/status/778398865619836928
>
> On Tue, Sep 20, 2016 at 11:21 PM, Mel Beckman <mel at beckman.org> wrote:
>
> > While I was reading the krebsonsecurity.com article cited below, the
> > site, hosted at Akamai address 72.52.7.144, became non responsive and now
> > appears to be offline. Traceroutes stop before the Akamai-SWIPed border
> > within Telia, as if blackholed (but adjacent IPs pass through to Akamai):
> >
> > traceroute to krebsonsecurity.com (72.52.7.144), 64 hops max, 40 byte
> > packets
> >  1  router1.sb.becknet.com (206.83.0.1)  0.771 ms  0.580 ms  0.342 ms
> >  2  206-190-77-9.static.twtelecom.net (206.190.77.9)  0.715 ms  1.026 ms
> > 0.744 ms
> >  3  ae1-90g.ar7.lax1.gblx.net (67.17.75.18)  9.532 ms  6.567 ms  2.912
> ms
> >  4  ae10.edge1.losangeles9.level3.net (4.68.111.21)  2.919 ms  2.925 ms
> > 2.904 ms
> >  5  telia-level3-4x10g.losangeles.level3.net (4.68.70.130)  3.981 ms
> > 3.567 ms  3.401 ms
> >  6  sjo-b21-link.telia.net (62.115.116.40)  11.209 ms  11.140 ms  11.161
> > ms
> >  7  * * *
> >  8  * * *
> >  9  * * *
> > 10  * * *
> >
> > Weird coincidence?
> >
> >  -mel beckman
> >
> > > On Sep 20, 2016, at 6:46 PM, Hugo Slabbert <hugo at slabnet.com> wrote:
> > >
> > > Lucy, you got some (*serious*) 'splainin to do...
> > >
> > > http://research.dyn.com/2016/09/backconnects-suspicious-bgp-hijacks/
> > > http://krebsonsecurity.com/2016/09/ddos-mitigation-firm-
> > has-history-of-hijacks/
> > >
> > > --
> > > Hugo Slabbert       | email, xmpp/jabber: hugo at slabnet.com
> > > pgp key: B178313E   | also on Signal
> > >
> > >> On Sun 2016-Sep-18 22:25:44 -0400, Tom Beecher <beecher at beecher.cc>
> > wrote:
> > >>
> > >> So after reading your explanation of things...
> > >>
> > >> Your technical protections for your client proved sufficient to handle
> > the
> > >> attack. You took OFFENSIVE action by hijacking the IP space. By your
> own
> > >> statements, it was only in response to threats against your company.
> You
> > >> were no longer providing DDoS protection to a client. You were
> exacting
> > a
> > >> vendetta against someone who was being MEAN to you. Even if that
> person
> > >> probably deserved it, you still cannot do what was done.
> > >>
> > >> I appreciate the desire to want to protect friends and family from
> > >> anonymous threats, and also realize how ill equipped law enforcement
> > >> usually is while something like this is occurring.
> > >>
> > >> However, in my view, by taking the action you did, you have shown your
> > >> company isn't ready to be operating in the security space. Being
> > threatened
> > >> by bad actors is a nominal part of doing business in the security
> space.
> > >> Unfortunately you didn't handle it well, and I think that will stick
> to
> > you
> > >> for a long time.
> > >>
> > >> On Tue, Sep 13, 2016 at 3:29 PM, Bryant Townsend <
> > bryant at backconnect.com>
> > >> wrote:
> > >>
> > >>> @ca & Matt - No, we do not plan to ever intentionally perform a
> > >>> non-authorized BGP hijack in the future.
> > >>>
> > >>> @Steve - Correct, the attack had already been mitigated. The decision
> > to
> > >>> hijack the attackers IP space was to deal with their threats, which
> if
> > >>> carried through could have potentially lead to physical harm.
> Although
> > the
> > >>> hijack gave us a unique insight into the attackers services, it was
> > not a
> > >>> factor that influenced my decision.
> > >>>
> > >>> @Blake & Mel - We will likely cover some of these questions in a
> future
> > >>> blog post.
> > >>>
> >
>



More information about the NANOG mailing list