Interesting Point of view - Russian police and RIPE accused of aiding RBN
Greetings! Let me introduce myself - I as a part of a support team represent NOC Akrino, the team responsible of the technical use of AKRINO Networks, AS44571 (91.202.61.0/21). It's a service network for DDoS-mitigation purposes, using a combination of hardware and self-developed software which allow us to efficiently filter mostly any kind of malicious traffic providing the white traffic to the client's server. Among our clients there are some e-businesses, e-shops, e-mass media, etc. with critical losses in case of possible DDoS-attacks. I'd apply in case it's necessary, the recommendations of our foreign resellers. Anyway we have never declared ourselves as an abuse-resistant service provider - every abuse sent to service email "noc.akrino@gmail.com" is being investigated and responded: we can block the exact URLS or even block completely the traffic redirection to the client in case of his abusive network behavior. We're completely shocked by the declaration that the RBN moved to our AS. We have no affiliation to RBN, the personal data is hidden and can be provided by request just because of our members' personal security - in rare cases we even had those risks (just because our filtration works cyber criminals often search for other ways of influence upon us, including coercion). In fact there are some problem clients like some adult sites whose advertising programs could be popular with the spammers, but our policy demands normal network behavior and in case of the abuse - their advert partner is blocked. So, if you have any evidence of abusive network behavior of our clients you should send it directly to noc.akrino@gmail.com and we'll respond. If there were any unsolved cases - we'll close them. Please, excuse us if in somehow Akrino Networks were the source of problems for you - we'll do our best to prevent it in the future. And I'll sincerely ask *Jeffrey Lyon *as a representative of Blacklotus team to clarify his accusations: aren't they connected with the fact that many of your DDoS-protected clients have chosen our reseller Blockdos (blockdos.net) just because our pricing doesn't depend on the amount of attack? As far as I understand it's a question of about $20k/month. Please, tell me if I'm not right. Thank you. Kanak Akrino Abuse Team
Kanak, It's good to see you here. The primary issue is that we receive a fair deal of customers who end up with wide scale DDoS attacks followed by an offer for "protection" to move to your network. In almost every case the attacks cease once the customer has agreed to pay this "protection" fee. Every one of these attacks was nearly identical in signature. A couple of years back we followed up on this and a handful of trusted security analysts who focus on RBN alleged that Akrino was an RBN shill network thus prompting the spawn of this article: http://www.computerworld.com/s/article/9063418/Russian_hosting_network_runni... . Since first seeing your network arise in early 2008 i've never actually seen anyone claim to own it and a Google search for your name and ASN were completely devoid of any useful information. The ASN and IP assignment are registered to a BVI offshore corporation that based on my research do not seem to correlate to any legitimate commercial activity. All of these things seem to support the Computerworld article. I would love to be proven wrong on this issue as I do not like to see a good net op ostracized without just cause. Perhaps your reseller(s) are giving you a bad name? Either way I would love to chat, feel free to Skype: blacklotus.net . Best regards, Jeff On Fri, Nov 6, 2009 at 1:20 PM, noc acrino <noc.akrino@gmail.com> wrote:
Greetings!
Let me introduce myself - I as a part of a support team represent NOC Akrino, the team responsible of the technical use of AKRINO Networks, AS44571 (91.202.61.0/21). It's a service network for DDoS-mitigation purposes, using a combination of hardware and self-developed software which allow us to efficiently filter mostly any kind of malicious traffic providing the white traffic to the client's server. Among our clients there are some e-businesses, e-shops, e-mass media, etc. with critical losses in case of possible DDoS-attacks. I'd apply in case it's necessary, the recommendations of our foreign resellers. Anyway we have never declared ourselves as an abuse-resistant service provider - every abuse sent to service email "noc.akrino@gmail.com" is being investigated and responded: we can block the exact URLS or even block completely the traffic redirection to the client in case of his abusive network behavior.
We're completely shocked by the declaration that the RBN moved to our AS. We have no affiliation to RBN, the personal data is hidden and can be provided by request just because of our members' personal security - in rare cases we even had those risks (just because our filtration works cyber criminals often search for other ways of influence upon us, including coercion).
In fact there are some problem clients like some adult sites whose advertising programs could be popular with the spammers, but our policy demands normal network behavior and in case of the abuse - their advert partner is blocked.
So, if you have any evidence of abusive network behavior of our clients you should send it directly to noc.akrino@gmail.com and we'll respond. If there were any unsolved cases - we'll close them.
Please, excuse us if in somehow Akrino Networks were the source of problems for you - we'll do our best to prevent it in the future.
And I'll sincerely ask *Jeffrey Lyon *as a representative of Blacklotus team to clarify his accusations: aren't they connected with the fact that many of your DDoS-protected clients have chosen our reseller Blockdos (blockdos.net) just because our pricing doesn't depend on the amount of attack? As far as I understand it's a question of about $20k/month. Please, tell me if I'm not right.
Thank you.
Kanak
Akrino Abuse Team
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications of The IRC Company, Inc. Platinum sponsor of HostingCon 2010. Come to Austin, TX on July 19 - 21 to find out how to "protect your booty."
2009/11/6 Jeffrey Lyon <jeffrey.lyon@blacklotus.net>
The primary issue is that we receive a fair deal of customers who end up with wide scale DDoS attacks followed by an offer for "protection" to move to your network. In almost every case the attacks cease once the customer has agreed to pay this "protection" fee. Every one of these attacks was nearly identical in signature.
By the way, Jeffrey, we can provide reports on HTTP-flood because our system builds it's signatures on http traffic dumps like === IP: 88.246.76.65, last receiving time: 2009-10-25T23:07:37+03:00, many identical requests (length 198): GET / HTTP/1.1 Accept: */* Accept-language: en-us User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1 Host: [censored] Connection: Keep-Alive So using this info we can map botnets, learn different attacks and in collaboration with ISPs - find CCs of new botnets. And what are your accusations of the identical signatures based on when simple Staminus resellers (like you are) do not have access to their signatures database? Kanak Akrino Abuse Team
Kanak, We're not a Staminus reseller. Please do your homework: http://webtrace.info/asn/32421 . I'm not going to hold court on whether or not you or your resellers are DDoSing competitor's customers, I was merely stating my opinion. The reader can draw their own conclusion. I think your network is blackhat, you say it's not. I say your entire network has minimal legitimate traffic and you say you have a diverse customer base. The way I see it right now: - You're an anonymous BVI company with no physical location - This Computerworld article is referring to Akrino: http://www.computerworld.com/s/article/9063418/Russian_hosting_network_runni.... I was consulted on this article before it went to print and i'll put my reputation on that. - All of the sites on Akrino around early 2008 were on NEAVE LIMITED until shutdown by uplink Eltel. They all came back up under Akrino uplink to Anders (AS39792). - 91.202.60.0/22 has one actual company with legitimate commercially necessary traffic (will provide a full report if you want to push the issue) yet is responsible for hundreds of malware infections over the past 6 months (see again, http://google.com/safebrowsing/diagnostic?site=AS:44571 ) -- The aforementioned company (solidtrustpay.com) was a Black Lotus customer and had received several days of multi-Gbps DDoS that subsided only once the customer agreed to use your network --- Post-DDoS the customer's server began receiving SSH connections from some former Soviet country (forget which offhand) trying to debug a reverse proxy (not sure if you/they realize that we filter your announcements). In the real world DDoS does not stop just hours before the gaining host goes to setup a proxy. - The attacks you claim to be filtering would not be possible unless your connection to AS39792 is 10GE or they're doing the filters for you. - The above has occurred at least three times with Akrino, zero times with better known, respected providers. - A handful of respected net ops have contacted me off list to confirm much of this data and provide additional evidence. Again, these are merely *opinions* and form the foundation of why I believe Akrino is a black hat network. Perhaps if you didn't have black hat resellers you wouldn't have this reputation? Maybe you should reconsider who you allow to resell your network? I don't know for certain but you need to clean up your network so you don't end up like Atrivo. Clean up now and everyone wins. Jeff On Sun, Nov 8, 2009 at 5:27 AM, noc acrino <noc.akrino@gmail.com> wrote:
2009/11/6 Jeffrey Lyon <jeffrey.lyon@blacklotus.net>
The primary issue is that we receive a fair deal of customers who end up with wide scale DDoS attacks followed by an offer for "protection" to move to your network. In almost every case the attacks cease once the customer has agreed to pay this "protection" fee. Every one of these attacks was nearly identical in signature.
By the way, Jeffrey, we can provide reports on HTTP-flood because our system builds it's signatures on http traffic dumps like
=== IP: 88.246.76.65, last receiving time: 2009-10-25T23:07:37+03:00, many identical requests (length 198): GET / HTTP/1.1 Accept: */* Accept-language: en-us User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1 Host: [censored] Connection: Keep-Alive
So using this info we can map botnets, learn different attacks and in collaboration with ISPs - find CCs of new botnets. And what are your accusations of the identical signatures based on when simple Staminus resellers (like you are) do not have access to their signatures database?
Kanak
Akrino Abuse Team
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications of The IRC Company, Inc. Platinum sponsor of HostingCon 2010. Come to Austin, TX on July 19 - 21 to find out how to "protect your booty."
Greetings! By the way, Jeffrey, by the 24th of October, when you posted the information that the RBN is located in our networks we couldn't even know about any malware redirectors on our clients resources - http://www.stopbadware.org/reports/asn/44571. I'm trying to solve the Google SB issue (still under investigation both by our team and the resource owner, but NB - it's only 1 ip from 345 sites tested by Google ) but one little question - how did you get to know about the malware abuse _before_ the actual report on stopbadware.org or on google? What were your conclusions based on? Why didn't you write to the abuse email the way it's traditionally done in the network operators' sphere? Kanak Akrino Abuse Team
Kanak, NANOG moderators have requested this conversation go off list. Jeff On Tue, Nov 10, 2009 at 1:50 PM, noc acrino <noc.akrino@gmail.com> wrote:
Greetings!
By the way, Jeffrey, by the 24th of October, when you posted the information that the RBN is located in our networks we couldn't even know about any malware redirectors on our clients resources - http://www.stopbadware.org/reports/asn/44571. I'm trying to solve the Google SB issue (still under investigation both by our team and the resource owner, but NB - it's only 1 ip from 345 sites tested by Google ) but one little question - how did you get to know about the malware abuse _before_ the actual report on stopbadware.org or on google? What were your conclusions based on? Why didn't you write to the abuse email the way it's traditionally done in the network operators' sphere?
Kanak
Akrino Abuse Team
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications of The IRC Company, Inc. Platinum sponsor of HostingCon 2010. Come to Austin, TX on July 19 - 21 to find out how to "protect your booty."
participants (2)
-
Jeffrey Lyon
-
noc acrino