Interesting Point of view - Russian police and RIPE accused of aiding RBN

Greetings!

Let me introduce myself - I as a part of a support team represent NOC
Akrino, the team responsible of the technical use of AKRINO Networks,
AS44571 (91.202.61.0/21). It's a service network for DDoS-mitigation
purposes, using a combination of hardware and self-developed software which
allow us to efficiently filter mostly any kind of malicious traffic
providing the white traffic to the client's server. Among our clients there
are some e-businesses, e-shops, e-mass media, etc. with critical losses in
case of possible DDoS-attacks. I'd apply in case it's necessary, the
recommendations of our foreign resellers. Anyway we have never declared
ourselves as an abuse-resistant service provider - every abuse sent to
service email "noc.akrino@gmail.com" is being investigated and responded: we
can block the exact URLS or even block completely the traffic redirection to
the client in case of his abusive network behavior.

We're completely shocked by the declaration that the RBN moved to our AS. We
have no affiliation to RBN, the personal data is hidden and can be provided
by request just because of our members' personal security - in rare cases we
even had those risks (just because our filtration works cyber criminals
often search for other ways of influence upon us, including coercion).

In fact there are some problem clients like some adult sites whose
advertising programs could be popular with the spammers, but our policy
demands normal network behavior and in case of the abuse - their advert
partner is blocked.

So, if you have any evidence of abusive network behavior of our clients you
should send it directly to noc.akrino@gmail.com and we'll respond. If there
were any unsolved cases - we'll close them.

Please, excuse us if in somehow Akrino Networks were the source of problems
for you - we'll do our best to prevent it in the future.

And I'll sincerely ask *Jeffrey Lyon *as a representative of Blacklotus team
to clarify his accusations: aren't they connected with the fact that many of
your DDoS-protected clients have chosen our reseller Blockdos (blockdos.net)
just because our pricing doesn't depend on the amount of attack? As far as I
understand it's a question of about $20k/month. Please, tell me if I'm not
right.

Thank you.

Kanak

Akrino Abuse Team

Kanak,

It's good to see you here. The primary issue is that we receive a fair
deal of customers who end up with wide scale DDoS attacks followed by
an offer for "protection" to move to your network. In almost every
case the attacks cease once the customer has agreed to pay this
"protection" fee. Every one of these attacks was nearly identical in
signature.

A couple of years back we followed up on this and a handful of trusted
security analysts who focus on RBN alleged that Akrino was an RBN
shill network thus prompting the spawn of this article:
http://www.computerworld.com/s/article/9063418/Russian_hosting_network_running_a_protection_racket_researcher_says
.

Since first seeing your network arise in early 2008 i've never
actually seen anyone claim to own it and a Google search for your name
and ASN were completely devoid of any useful information. The ASN and
IP assignment are registered to a BVI offshore corporation that based
on my research do not seem to correlate to any legitimate commercial
activity. All of these things seem to support the Computerworld
article.

I would love to be proven wrong on this issue as I do not like to see
a good net op ostracized without just cause. Perhaps your reseller(s)
are giving you a bad name? Either way I would love to chat, feel free
to Skype: blacklotus.net .

Best regards, Jeff

Kanak,

Can you please detail your plans to correct the malware issues on your
network? (reference:
http://google.com/safebrowsing/diagnostic?site=AS:44571 ).

Best regards, Jeff

[offlist communication snipped for privacy]

Thanks for the quick answer, Jeffrey.

Kanak,

It's good to see you here. The primary issue is that we receive a fair
deal of customers who end up with wide scale DDoS attacks followed by
an offer for "protection" to move to your network. In almost every
case the attacks cease once the customer has agreed to pay this
"protection" fee. Every one of these attacks was nearly identical in
signature.

I would be very grateful if you provide the history of those communications

- in fact we have never organized the DDoS-attacks ourselves, it's just
nonsense. Our AS is ready for any public testing to see what we are really
doing. I realize the fact that none of the normal network operators have any
instruments to organize a heavy DDoS-attack but a single web-engineer can
test any web-server in our network to see the algorithms of traffic
analyzing and attacks mitigation.

A couple of years back we followed up on this and a handful of trusted
security analysts who focus on RBN alleged that Akrino was an RBN
shill network thus prompting the spawn of this article:

http://www.computerworld.com/s/article/9063418/Russian_hosting_network_running_a_protection_racket_researcher_says
.

I'm sorry, in this article there's no concrete reference to Akrino Networks.
And no evidence that we're affiliated. I would ask any person of the
maillist to check the domain history (for example, using domaintools.com) to
see whether the A-records of those domains (for example, TheCanadianMeds.com
and OfficialMedicines.com) have ever been bind to Akrino Networks. I must
buy some extra service units to make this kind of report - if you wait I'll
be ready in a few days. And anyway this also won't be a proof of evidence -
the malefactor could do this binding specially but we have never served
these A-records.

I'd be grateful if you show any current problems concerning this AS, let's
investigate the issue together. We not long ago closed a number of spam
sources within our networks (yes, there really were a few problem clents) in
collaboration with the Spamhaus team and we are always ready to help our
colleagues if there's a need to.

Since first seeing your network arise in early 2008 i've never
actually seen anyone claim to own it and a Google search for your name
and ASN were completely devoid of any useful information. The ASN and
IP assignment are registered to a BVI offshore corporation that based
on my research do not seem to correlate to any legitimate commercial
activity. All of these things seem to support the Computerworld
article.

And as I've already mentioned, we're forced to hide because of the personal

security. ( We can provide the documents concerning our activity only after
an official request obligating the requesting organization to keep this data
privately.

Why have I written only now? I've discovered this claim now by chance and
have been greatly disappointed. Now I have to prove that Akrino Networks has
nothing to do with RBN and I can't even imagine a more comical and at the
same time weird situation.

I would love to be proven wrong on this issue as I do not like to see
a good net op ostracized without just cause. Perhaps your reseller(s)
are giving you a bad name? Either way I would love to chat, feel free
to Skype: blacklotus.net .

Thank you for this proposition, I'll contact you tomorrow.

Kanak

Akrino Abuse Team

Hello, Jeffery and other NANOC members.

Sorry for making another thread - I'm not too experienced in mailgroups.

The problem is in structure of new generation advert or banner networks -
they allow to return other subject traffic to the partner's URL. And this
could also be used to redirect the traffic to different exploits (a simple
way to compromise a banner network or hosting provider). This is extremely
hard to monitor or to take preventive measures in case of a large banner or
advert network. Unfortunately Google doesn't provide a detailed report on
their check results: this could allow the resource's owner easily block
their partners in that case.

Anyway I'll contact the owner of this resource (91.202.63.96) now in order
to perform a check of their partners. I suppose, just having a few domains
would be enough.

The other resource is situated on the public ip of our reseller - I'll ask
him to check this domain, too.

Thank you for that information, I'll report on that issue later.

Kanak

Akrino Support Team

By the way, Jeffrey, we can provide reports on HTTP-flood because our system
builds it's signatures on http traffic dumps like

=== IP: 88.246.76.65, last receiving time: 2009-10-25T23:07:37+03:00, many
identical requests (length 198):
GET / HTTP/1.1
Accept: */*
Accept-language: en-us
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.1)
Gecko/20061204 Firefox/2.0.0.1
Host: [censored]
Connection: Keep-Alive

So using this info we can map botnets, learn different attacks and in
collaboration with ISPs - find CCs of new botnets. And what are your
accusations of the identical signatures based on when simple Staminus
resellers (like you are) do not have access to their signatures database?

Kanak

Akrino Abuse Team

Kanak,

We're not a Staminus reseller. Please do your homework:
http://webtrace.info/asn/32421 .

I'm not going to hold court on whether or not you or your resellers
are DDoSing competitor's customers, I was merely stating my opinion.
The reader can draw their own conclusion. I think your network is
blackhat, you say it's not. I say your entire network has minimal
legitimate traffic and you say you have a diverse customer base. The
way I see it right now:

- You're an anonymous BVI company with no physical location
- This Computerworld article is referring to Akrino:
http://www.computerworld.com/s/article/9063418/Russian_hosting_network_running_a_protection_racket_researcher_says.
I was consulted on this article before it went to print and i'll put
my reputation on that.
- All of the sites on Akrino around early 2008 were on NEAVE LIMITED
until shutdown by uplink Eltel. They all came back up under Akrino
uplink to Anders (AS39792).
- 91.202.60.0/22 has one actual company with legitimate commercially
necessary traffic (will provide a full report if you want to push the
issue) yet is responsible for hundreds of malware infections over the
past 6 months (see again,
http://google.com/safebrowsing/diagnostic?site=AS:44571 )
-- The aforementioned company (solidtrustpay.com) was a Black Lotus
customer and had received several days of multi-Gbps DDoS that
subsided only once the customer agreed to use your network
--- Post-DDoS the customer's server began receiving SSH connections
from some former Soviet country (forget which offhand) trying to debug
a reverse proxy (not sure if you/they realize that we filter your
announcements). In the real world DDoS does not stop just hours before
the gaining host goes to setup a proxy.
- The attacks you claim to be filtering would not be possible unless
your connection to AS39792 is 10GE or they're doing the filters for
you.
- The above has occurred at least three times with Akrino, zero times
with better known, respected providers.
- A handful of respected net ops have contacted me off list to confirm
much of this data and provide additional evidence.

Again, these are merely *opinions* and form the foundation of why I
believe Akrino is a black hat network. Perhaps if you didn't have
black hat resellers you wouldn't have this reputation? Maybe you
should reconsider who you allow to resell your network? I don't know
for certain but you need to clean up your network so you don't end up
like Atrivo. Clean up now and everyone wins.

Jeff

Greetings!

By the way, Jeffrey, by the 24th of October, when you posted the information
that the RBN is located in our networks we couldn't even know about any
malware redirectors on our clients resources -
http://www.stopbadware.org/reports/asn/44571. I'm trying to solve the Google
SB issue (still under investigation both by our team and the resource owner,
but NB - it's only 1 ip from 345 sites tested by Google ) but one little
question - how did you get to know about the malware abuse _before_ the
actual report on stopbadware.org or on google? What were your conclusions
based on? Why didn't you write to the abuse email the way it's traditionally
done in the network operators' sphere?

Kanak

Akrino Abuse Team

Kanak,

NANOG moderators have requested this conversation go off list.

Jeff