What would you have done if the personal harassment didn't stop? What would you have done if they simply switched to a new source range/different set of bots? Seems like a very slippery slope to me. Spencer Ryan | Senior Systems Administrator | sryan@arbor.net<mailto:sryan@arbor.net> Arbor Networks +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com<http://www.arbornetworks.com/> ________________________________ From: NANOG <nanog-bounces@nanog.org> on behalf of Bryant Townsend <bryant@backconnect.com> Sent: Tuesday, September 13, 2016 3:22:43 AM To: nanog@nanog.org Subject: Re: "Defensive" BGP hijacking? Hello Everyone, I would like to give as much insight as I can in regards to the BGP hijack being discussed in this thread. I won’t be going into specific details of the attack, but we do plan to release more information on our website when we are able to. I also wanted to let Hugo (who started the thread) know that we harbor no hard feelings about bringing this topic up, as it is relevant to the community and does warrant discussion. Hugo, you may owe me a beer the next time we meet. :) We agree with others that NANOG is the most appropriate venue to answer any questions and discuss the topic at hand. I have been attending NANOG for the past 3-4 years, and I can assure you that it is of the utmost importance to me how the community views my company, my employees, and myself. There are many people in this community that I personally have the upmost respect for, and it would sadden me If I were to lose the respect of mentors, colleagues, and friends by not responding. That being said, I think there are a fair number of people in NANOG that would vouch for my character and ethics relating to the intent of my actions, even if I were to remain silent. I would also like to preface that my explanation of the events that occurred and actions taken by BackConnect are not to justify or provide excuses. My goal is to simply show what happened and give insight into our actions. I will start with a little background to bring anyone up to speed that is not aware of the events that transpired. *About the company, BackConnect, Inc.*: We are a new (~4 months old) open-sourced based DDoS mitigation and network security provider that specializes in custom intrusion detection and prevention systems. We also provide threat intelligence services, with an emphasis on active botnets, new and upcoming DDoS attack patterns, and boot services. From time to time, this information flows through our network for collection purposes. *Events leading to the Hijack*: On 9/6/2016, ~10:30AM PST, one of our clients and our website received a large and relatively sophisticated DDoS attack. The attack targeted entire subnets and peaked over 200 Gbps and 40Mpps. Although the attack was automatically detected and mostly filtered, there was initially a small leak. In response we quickly applied new security rules that rendered it entirely ineffective. The attackers continued to attack our network and client for roughly 6 hours before giving up. *Events that caused us to perform the BGP hijack*: After the DDoS attacks subsided, the attackers started to harass us by calling in using spoofed phone numbers. Curious to what this was all about, we fielded various calls which allowed us to ascertain who was behind the attacks by correlating e-mails with the information they provided over the phone. Throughout the day and late into the night, these calls and threats continued to increase in number. Throughout these calls we noticed an increasing trend of them bringing up personal information of myself and employees. At this point I personally filled a police report in preparation to a possible SWATing attempt. As they continued to harass our company, more and more red flags indicated that I would soon be targeted. This was the point where I decided I needed to go on the offensive to protect myself, my partner, visiting family, and my employees. The actions proved to be extremely effective, as all forms of harassment and threats from the attackers immediately stopped. In addition to our main objective, we were able to collect intelligence on the actors behind the bot net as well as identify the attack servers used by the booter service. *Afterthoughts*: The decision to hijack the attackers IP space was not something I took lightly. I was fully aware there were services that reported such actions and knew that this could potentially be brought up in discussion and hurt BackConnect’s image. Even though we had the capacity to hide our actions, we felt that it would be wrong to do so. I have spent a long time reflecting on my decision and how it may negatively impact the company and myself in some people’s eyes, but ultimately I stand by it. The experience and feedback I have gained from these events has proven invaluable and will be used to shape the policies surrounding the future handling of similar situations. I am happy to field questions, but cannot promise any answers, disclosure of further information, or when they will be responded to. Sincerely, Bryant Townsend