Kanak, We're not a Staminus reseller. Please do your homework: http://webtrace.info/asn/32421 . I'm not going to hold court on whether or not you or your resellers are DDoSing competitor's customers, I was merely stating my opinion. The reader can draw their own conclusion. I think your network is blackhat, you say it's not. I say your entire network has minimal legitimate traffic and you say you have a diverse customer base. The way I see it right now: - You're an anonymous BVI company with no physical location - This Computerworld article is referring to Akrino: http://www.computerworld.com/s/article/9063418/Russian_hosting_network_runni.... I was consulted on this article before it went to print and i'll put my reputation on that. - All of the sites on Akrino around early 2008 were on NEAVE LIMITED until shutdown by uplink Eltel. They all came back up under Akrino uplink to Anders (AS39792). - 91.202.60.0/22 has one actual company with legitimate commercially necessary traffic (will provide a full report if you want to push the issue) yet is responsible for hundreds of malware infections over the past 6 months (see again, http://google.com/safebrowsing/diagnostic?site=AS:44571 ) -- The aforementioned company (solidtrustpay.com) was a Black Lotus customer and had received several days of multi-Gbps DDoS that subsided only once the customer agreed to use your network --- Post-DDoS the customer's server began receiving SSH connections from some former Soviet country (forget which offhand) trying to debug a reverse proxy (not sure if you/they realize that we filter your announcements). In the real world DDoS does not stop just hours before the gaining host goes to setup a proxy. - The attacks you claim to be filtering would not be possible unless your connection to AS39792 is 10GE or they're doing the filters for you. - The above has occurred at least three times with Akrino, zero times with better known, respected providers. - A handful of respected net ops have contacted me off list to confirm much of this data and provide additional evidence. Again, these are merely *opinions* and form the foundation of why I believe Akrino is a black hat network. Perhaps if you didn't have black hat resellers you wouldn't have this reputation? Maybe you should reconsider who you allow to resell your network? I don't know for certain but you need to clean up your network so you don't end up like Atrivo. Clean up now and everyone wins. Jeff On Sun, Nov 8, 2009 at 5:27 AM, noc acrino <noc.akrino@gmail.com> wrote:
2009/11/6 Jeffrey Lyon <jeffrey.lyon@blacklotus.net>
The primary issue is that we receive a fair deal of customers who end up with wide scale DDoS attacks followed by an offer for "protection" to move to your network. In almost every case the attacks cease once the customer has agreed to pay this "protection" fee. Every one of these attacks was nearly identical in signature.
By the way, Jeffrey, we can provide reports on HTTP-flood because our system builds it's signatures on http traffic dumps like
=== IP: 88.246.76.65, last receiving time: 2009-10-25T23:07:37+03:00, many identical requests (length 198): GET / HTTP/1.1 Accept: */* Accept-language: en-us User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1 Host: [censored] Connection: Keep-Alive
So using this info we can map botnets, learn different attacks and in collaboration with ISPs - find CCs of new botnets. And what are your accusations of the identical signatures based on when simple Staminus resellers (like you are) do not have access to their signatures database?
Kanak
Akrino Abuse Team
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications of The IRC Company, Inc. Platinum sponsor of HostingCon 2010. Come to Austin, TX on July 19 - 21 to find out how to "protect your booty."