Ryan English
Ryan English is a researcher at Lumen Technologies’ Black Lotus Labs, where the team chases threats across the backbone of the internet. He began his career in cybersecurity over 13 years ago after spending most of his life in the military and as a private security specialist, because breaking things is a universal skill. He has spoken at BsidesLV, Bsides Harrisburg and BsidesNYC among other places
Session
In November 2024, Black Lotus Labs took down the “ngioweb” botnet, which formed the basis of the NSOCKS criminal proxy network. The network was one of the most popular for criminal groups and had been tied to APTs, had proxies in 180 countries, and took us a year to track and identify all the nodes and C2s.
Previous interdictions had taught us we could not act alone and keep botnets down for long, so we had been working extensively to build trust with other ISPs and ASNs around the world to try and limit a botnet’s reconstruction. After everything from blind letters to abuse desks to connections through friends, we managed to get our research in front of the right people and put together a group to simultaneously deny traffic to all the known layers of control. And then things got interesting.
The botnet controllers used everything from social media to “cease and desist” letters, eventually trying to DDoS our company, all in an effort to get their botnet back.
I will describe our efforts to build cooperation among internet providers behind the scenes, and the various attempts the threat actors used to coerce us into leaving them alone.