+1 to this question. Bryant, thanks for giving us your side of this story.
Matt Freitag Network Engineer I Information Technology Michigan Technological University (906) 487-3696 <%28906%29%20487-3696> https://www.mtu.edu/ https://www.it.mtu.edu/ On Tue, Sep 13, 2016 at 12:22 PM, Ca By <cb.li...@gmail.com> wrote: > On Tuesday, September 13, 2016, Bryant Townsend <bry...@backconnect.com> > wrote: > > > Hello Everyone, > > > > > > I would like to give as much insight as I can in regards to the BGP > hijack > > being discussed in this thread. I won’t be going into specific details of > > the attack, but we do plan to release more information on our website > when > > we are able to. I also wanted to let Hugo (who started the thread) know > > that we harbor no hard feelings about bringing this topic up, as it is > > relevant to the community and does warrant discussion. Hugo, you may owe > me > > a beer the next time we meet. :) > > > > > > > > We agree with others that NANOG is the most appropriate venue to answer > any > > questions and discuss the topic at hand. I have been attending NANOG for > > the past 3-4 years, and I can assure you that it is of the utmost > > importance to me how the community views my company, my employees, and > > myself. There are many people in this community that I personally have > the > > upmost respect for, and it would sadden me If I were to lose the respect > of > > mentors, colleagues, and friends by not responding. That being said, I > > think there are a fair number of people in NANOG that would vouch for my > > character and ethics relating to the intent of my actions, even if I were > > to remain silent. I would also like to preface that my explanation of > the > > events that occurred and actions taken by BackConnect are not to justify > or > > provide excuses. My goal is to simply show what happened and give insight > > into our actions. > > > > > > > > I will start with a little background to bring anyone up to speed that is > > not aware of the events that transpired. > > > > > > *About the company, BackConnect, Inc.*: We are a new (~4 months old) > > open-sourced based DDoS mitigation and network security provider that > > specializes in custom intrusion detection and prevention systems. We also > > provide threat intelligence services, with an emphasis on active botnets, > > new and upcoming DDoS attack patterns, and boot services. From time to > > time, this information flows through our network for collection purposes. > > > > > > *Events leading to the Hijack*: On 9/6/2016, ~10:30AM PST, one of our > > clients and our website received a large and relatively sophisticated > DDoS > > attack. The attack targeted entire subnets and peaked over 200 Gbps and > > 40Mpps. Although the attack was automatically detected and mostly > filtered, > > there was initially a small leak. In response we quickly applied new > > security rules that rendered it entirely ineffective. The attackers > > continued to attack our network and client for roughly 6 hours before > > giving up. > > > > > > *Events that caused us to perform the BGP hijack*: After the DDoS attacks > > subsided, the attackers started to harass us by calling in using spoofed > > phone numbers. Curious to what this was all about, we fielded various > calls > > which allowed us to ascertain who was behind the attacks by correlating > > e-mails with the information they provided over the phone. Throughout the > > day and late into the night, these calls and threats continued to > increase > > in number. Throughout these calls we noticed an increasing trend of them > > bringing up personal information of myself and employees. At this point I > > personally filled a police report in preparation to a possible SWATing > > attempt. As they continued to harass our company, more and more red > flags > > indicated that I would soon be targeted. This was the point where I > decided > > I needed to go on the offensive to protect myself, my partner, visiting > > family, and my employees. The actions proved to be extremely effective, > as > > all forms of harassment and threats from the attackers immediately > stopped. > > In addition to our main objective, we were able to collect intelligence > on > > the actors behind the bot net as well as identify the attack servers used > > by the booter service. > > > > > > > > *Afterthoughts*: The decision to hijack the attackers IP space was not > > something I took lightly. I was fully aware there were services that > > reported such actions and knew that this could potentially be brought up > in > > discussion and hurt BackConnect’s image. Even though we had the capacity > to > > hide our actions, we felt that it would be wrong to do so. I have spent a > > long time reflecting on my decision and how it may negatively impact the > > company and myself in some people’s eyes, but ultimately I stand by it. > The > > experience and feedback I have gained from these events has proven > > invaluable and will be used to shape the policies surrounding the future > > handling of similar situations. I am happy to field questions, but cannot > > promise any answers, disclosure of further information, or when they will > > be responded to. > > > > > > Sincerely, > > > > Bryant Townsend > > > > > Will you do the bgp hijacking in the future: yes or no? > > Thanks! >
