The DDoS protection company itself launched DDoS attacks, its founder admitted

3 min



By 2016, vDos became the most popular service for ordering DDoS attacks in the world

If you believe the conspiracy theories, then the antivirus companies themselves spread the viruses, and the services of protection against DDoS attacks themselves initiate these attacks. Of course, this is fiction … or not?

January 16, 2020 Federal District Court of New Jersey found guilty 22-year-old Tucker Preston (Tucker Preston), a resident of the city of Macon, Georgia, on one of the charges, namely “damage to protected computers by transferring a program, code or command.” Tucker is a co-founder of BackConnect Security LLC, which offered protection against DDoS attacks. The young businessman could not resist the temptation to take revenge on intractable customers.

The sad story of Tucker Preston began in 2014, when a hacker-teenager, together with his friend Marshal Webb, founded BackConnect Security LLC, then BackConnect, Inc. broke away from it. In September 2016, this company lit up during the operation to close the vDos service, which at that time was considered the most popular service in the world for ordering DDoS attacks. BackConnect then allegedly itself was attacked through vDos – and carried out an unusual “counterattack”, capturing 255 enemy IP addresses by BGP interception (BGP hijacking). Conducting such an attack to defend one’s interests has generated conflicting opinions in the information security community. Many felt that BackConnect had crossed the line.

Simple BGP interception is performed by announcing someone else’s prefix as your own. Uplinks / peers accept it, and it begins to spread over the Web. For example, in 2017, allegedly as a result of a failure of the Rostelecom software (AS12389) began to announce prefixes Mastercard (AS26380), Visa and some other financial institutions. BackConnect worked in approximately the same way when it expropriated IP addresses from the Bulgarian host Verdina.net.

BackConnect CEO Bryant Townsend then made excuses on the NANOG mailing list for network operators. He said that the decision to attack the enemy’s address space was not easy, but they were ready to answer for their actions: “Although we had the opportunity to hide our actions, we felt that it would be wrong. I spent a lot of time thinking about this decision and how it could negatively affect the company and me in the eyes of some people, but in the end I supported it. ”

As it turned out, BackConnect is not the first time to use BGP interception, but the company generally has a dark history. Although it should be noted that BGP interception is not always used for malicious purposes. Brian Krebs writesthat he uses the services of Prolexic Communications (now part of Akamai Technologies) to protect against DDoS. It was she who came up with how to use BGP hijack to protect against DDoS attacks.

If a victim of a DDoS attack seeks help from Prolexic, the latter translates the client’s IP addresses onto itself, which allows it to analyze and filter incoming traffic.

Since BackConnect provided DDoS protection services, an analysis was carried out which of the BGP intercepts can be considered legitimate in the interests of their customers, and which look suspicious. This takes into account the duration of the capture of someone else’s addresses, how widely announced someone else’s prefix as their own, whether there is a confirmed agreement with the client, etc. The table shows that some of the BackConnect actions look very suspicious.

Apparently, one of the victims sued BackConnect. IN Preston Confessions (pdf) the name of the company recognized by the court as the victim is not indicated. The victim in the document is referred to as Victim 1.

As mentioned above, an investigation into BackConnect began after hacking the vDos service. Then names became known service administrators, as well as the vDos database, including its registered users and records of customers who paid vDos for conducting DDoS attacks.

These records showed that one of the accounts on the vDos website is open to email addresses associated with a domain that is registered in the name of Tucker Preston. This account initiated attacks on a large number of targets, including numerous attacks on networks belonging to Free Software Foundation (FSF).

In 2016, the former FSF sysadmin said that a nonprofit organization at some point was considering working with BackConnect, and attacks began almost immediately after the FSF said it would look for another company to protect against DDoS.

According to statement The US Department of Justice, on this count of charges, Tucker Preston faces imprisonment of up to 10 years and a fine of up to $ 250,000, which doubles the total profit or loss from the crime. The verdict will be pronounced on May 7, 2020.


GlobalSign introduces scalable PKI solutions for organizations of any size.

More details: +7 (499) 678 2210, sales-ru@globalsign.com.


0 Comments

Leave a Reply