On Tuesday, September 13, 2016, Bryant Townsend <bry...@backconnect.com> wrote:
> Hello Everyone, > > > I would like to give as much insight as I can in regards to the BGP hijack > being discussed in this thread. I won’t be going into specific details of > the attack, but we do plan to release more information on our website when > we are able to. I also wanted to let Hugo (who started the thread) know > that we harbor no hard feelings about bringing this topic up, as it is > relevant to the community and does warrant discussion. Hugo, you may owe me > a beer the next time we meet. :) > > > > We agree with others that NANOG is the most appropriate venue to answer any > questions and discuss the topic at hand. I have been attending NANOG for > the past 3-4 years, and I can assure you that it is of the utmost > importance to me how the community views my company, my employees, and > myself. There are many people in this community that I personally have the > upmost respect for, and it would sadden me If I were to lose the respect of > mentors, colleagues, and friends by not responding. That being said, I > think there are a fair number of people in NANOG that would vouch for my > character and ethics relating to the intent of my actions, even if I were > to remain silent. I would also like to preface that my explanation of the > events that occurred and actions taken by BackConnect are not to justify or > provide excuses. My goal is to simply show what happened and give insight > into our actions. > > > > I will start with a little background to bring anyone up to speed that is > not aware of the events that transpired. > > > *About the company, BackConnect, Inc.*: We are a new (~4 months old) > open-sourced based DDoS mitigation and network security provider that > specializes in custom intrusion detection and prevention systems. We also > provide threat intelligence services, with an emphasis on active botnets, > new and upcoming DDoS attack patterns, and boot services. From time to > time, this information flows through our network for collection purposes. > > > *Events leading to the Hijack*: On 9/6/2016, ~10:30AM PST, one of our > clients and our website received a large and relatively sophisticated DDoS > attack. The attack targeted entire subnets and peaked over 200 Gbps and > 40Mpps. Although the attack was automatically detected and mostly filtered, > there was initially a small leak. In response we quickly applied new > security rules that rendered it entirely ineffective. The attackers > continued to attack our network and client for roughly 6 hours before > giving up. > > > *Events that caused us to perform the BGP hijack*: After the DDoS attacks > subsided, the attackers started to harass us by calling in using spoofed > phone numbers. Curious to what this was all about, we fielded various calls > which allowed us to ascertain who was behind the attacks by correlating > e-mails with the information they provided over the phone. Throughout the > day and late into the night, these calls and threats continued to increase > in number. Throughout these calls we noticed an increasing trend of them > bringing up personal information of myself and employees. At this point I > personally filled a police report in preparation to a possible SWATing > attempt. As they continued to harass our company, more and more red flags > indicated that I would soon be targeted. This was the point where I decided > I needed to go on the offensive to protect myself, my partner, visiting > family, and my employees. The actions proved to be extremely effective, as > all forms of harassment and threats from the attackers immediately stopped. > In addition to our main objective, we were able to collect intelligence on > the actors behind the bot net as well as identify the attack servers used > by the booter service. > > > > *Afterthoughts*: The decision to hijack the attackers IP space was not > something I took lightly. I was fully aware there were services that > reported such actions and knew that this could potentially be brought up in > discussion and hurt BackConnect’s image. Even though we had the capacity to > hide our actions, we felt that it would be wrong to do so. I have spent a > long time reflecting on my decision and how it may negatively impact the > company and myself in some people’s eyes, but ultimately I stand by it. The > experience and feedback I have gained from these events has proven > invaluable and will be used to shape the policies surrounding the future > handling of similar situations. I am happy to field questions, but cannot > promise any answers, disclosure of further information, or when they will > be responded to. > > > Sincerely, > > Bryant Townsend > Will you do the bgp hijacking in the future: yes or no? Thanks!