[191410] in North American Network Operators' Group
Re: "Defensive" BGP hijacking?
daemon@ATHENA.MIT.EDU (Matt Freitag)
Tue Sep 13 14:25:54 2016
X-Original-To: nanog@nanog.org
In-Reply-To: <CAD6AjGSvpiGYfD-=pBM43Dja8LZTq8vdSmgfu+_yPF+qtMGuvQ@mail.gmail.com>
From: Matt Freitag <mlfreita@mtu.edu>
Date: Tue, 13 Sep 2016 14:25:36 -0400
To: Ca By <cb.list6@gmail.com>
Reply-To: mlfreita@mtu.edu
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
+1 to this question.
Bryant, thanks for giving us your side of this story.
Matt Freitag
Network Engineer I
Information Technology
Michigan Technological University
(906) 487-3696 <%28906%29%20487-3696>
https://www.mtu.edu/
https://www.it.mtu.edu/
On Tue, Sep 13, 2016 at 12:22 PM, Ca By <cb.list6@gmail.com> wrote:
> On Tuesday, September 13, 2016, Bryant Townsend <bryant@backconnect.com>
> wrote:
>
> > Hello Everyone,
> >
> >
> > I would like to give as much insight as I can in regards to the BGP
> hijack
> > being discussed in this thread. I won=E2=80=99t be going into specific =
details of
> > the attack, but we do plan to release more information on our website
> when
> > we are able to. I also wanted to let Hugo (who started the thread) know
> > that we harbor no hard feelings about bringing this topic up, as it is
> > relevant to the community and does warrant discussion. Hugo, you may ow=
e
> me
> > a beer the next time we meet. :)
> >
> >
> >
> > We agree with others that NANOG is the most appropriate venue to answer
> any
> > questions and discuss the topic at hand. I have been attending NANOG fo=
r
> > the past 3-4 years, and I can assure you that it is of the utmost
> > importance to me how the community views my company, my employees, and
> > myself. There are many people in this community that I personally have
> the
> > upmost respect for, and it would sadden me If I were to lose the respec=
t
> of
> > mentors, colleagues, and friends by not responding. That being said, I
> > think there are a fair number of people in NANOG that would vouch for m=
y
> > character and ethics relating to the intent of my actions, even if I we=
re
> > to remain silent. I would also like to preface that my explanation of
> the
> > events that occurred and actions taken by BackConnect are not to justif=
y
> or
> > provide excuses. My goal is to simply show what happened and give insig=
ht
> > into our actions.
> >
> >
> >
> > I will start with a little background to bring anyone up to speed that =
is
> > not aware of the events that transpired.
> >
> >
> > *About the company, BackConnect, Inc.*: We are a new (~4 months old)
> > open-sourced based DDoS mitigation and network security provider that
> > specializes in custom intrusion detection and prevention systems. We al=
so
> > provide threat intelligence services, with an emphasis on active botnet=
s,
> > new and upcoming DDoS attack patterns, and boot services. From time to
> > time, this information flows through our network for collection purpose=
s.
> >
> >
> > *Events leading to the Hijack*: On 9/6/2016, ~10:30AM PST, one of our
> > clients and our website received a large and relatively sophisticated
> DDoS
> > attack. The attack targeted entire subnets and peaked over 200 Gbps and
> > 40Mpps. Although the attack was automatically detected and mostly
> filtered,
> > there was initially a small leak. In response we quickly applied new
> > security rules that rendered it entirely ineffective. The attackers
> > continued to attack our network and client for roughly 6 hours before
> > giving up.
> >
> >
> > *Events that caused us to perform the BGP hijack*: After the DDoS attac=
ks
> > subsided, the attackers started to harass us by calling in using spoofe=
d
> > phone numbers. Curious to what this was all about, we fielded various
> calls
> > which allowed us to ascertain who was behind the attacks by correlating
> > e-mails with the information they provided over the phone. Throughout t=
he
> > day and late into the night, these calls and threats continued to
> increase
> > in number. Throughout these calls we noticed an increasing trend of the=
m
> > bringing up personal information of myself and employees. At this point=
I
> > personally filled a police report in preparation to a possible SWATing
> > attempt. As they continued to harass our company, more and more red
> flags
> > indicated that I would soon be targeted. This was the point where I
> decided
> > I needed to go on the offensive to protect myself, my partner, visiting
> > family, and my employees. The actions proved to be extremely effective,
> as
> > all forms of harassment and threats from the attackers immediately
> stopped.
> > In addition to our main objective, we were able to collect intelligence
> on
> > the actors behind the bot net as well as identify the attack servers us=
ed
> > by the booter service.
> >
> >
> >
> > *Afterthoughts*: The decision to hijack the attackers IP space was not
> > something I took lightly. I was fully aware there were services that
> > reported such actions and knew that this could potentially be brought u=
p
> in
> > discussion and hurt BackConnect=E2=80=99s image. Even though we had the=
capacity
> to
> > hide our actions, we felt that it would be wrong to do so. I have spent=
a
> > long time reflecting on my decision and how it may negatively impact th=
e
> > company and myself in some people=E2=80=99s eyes, but ultimately I stan=
d by it.
> The
> > experience and feedback I have gained from these events has proven
> > invaluable and will be used to shape the policies surrounding the futur=
e
> > handling of similar situations. I am happy to field questions, but cann=
ot
> > promise any answers, disclosure of further information, or when they wi=
ll
> > be responded to.
> >
> >
> > Sincerely,
> >
> > Bryant Townsend
> >
>
>
> Will you do the bgp hijacking in the future: yes or no?
>
> Thanks!
>
