Internet access for security consultants - pen tests, attack traffic, bulk e-mail, etc.

We were recently approached by a company that does security consulting. Some
of the functions they perform include discovery scans, penetration testing,
bulk e-mail generation (phishing, malware, etc.), hosting fake botnets -
basically, they'd be generating a lot of bad network traffic. Targeted at
specific clients/customers, but still bad. As an ISP, this is new territory
for us and there are some concerns about potential impact, abuse reports,
reputation, authorization to perform such tests, etc.

Does anyone have experience in this area that would be willing to offer

Ping the DNC? :slight_smile:


We have written agreements with our vendors on who they can and can not
send this traffic from, where exactly it is coming from and what type of
traffic it will be. One reason our vendor does this is to not get on black
hole/spam lists or to cause their ISP issues, as well as having proof that
they are allowed to send specific traffic to specific addresses for a
specific time period. The test managers then know what to expect and to
head off abuse notifications after detection of the specific traffic. We,
also, use this traffic to test other vendors we might have and only after
detection we will have white lists or black lists put in place as warranted.

I would expect the company in question to be able to provide documentation
that could track any specific traffic back to an engagement that has the
approval of their customer. If they have been around for a bit they should
have a track record and may have current IP space that could be vetted to
see what condition it is in. Are they leaving it or adding too it. If
they are leaving their current space then find out why.


I work for a MSSP (Managed Security Services Provider) that provides some
of these services including vulnerability scanning and such. If it's a
legitimate provider doing work for customers, you should never get a
complaint about their activities. Before we do any kind of scan, we have a
contract in place with the customer and include the IP(s) we'll be scanning
from and the range of IPs we'll be scanning (assuming this is an external
scan). If they're not getting permission from customers first, they are
almost certainly breaking laws by scanning systems they don't have
permission to, and I wouldn't host them.

Assuming you have a legal department, just make sure that you put
something that says this type of activity will only be permitted when the
target has agreed to the scan in advance. If you get some complaints,
investigate, and if they're breaking the contract, turf them.

Quick note to thank everyone for their input. So far everything that has been suggested publicly and privately has been right in line with what were already putting on paper so this provided some great feedback and confirmation that we’re going in the right direction.