Hi all.
This Washington Post story came out today:
http://voices.washingtonpost.com/securityfix/2008/08/report_slams_us_host_as_major.html
In it, Brian Krebs discusses the SF Bay Area based Atrivo/Intercage, which has been long named as a bad actor, accused of shuffling abuse reports to different IP addresses and hosting criminals en masse, compared often to RBN in maliciousness. "The American RBN", if you like.
1. I realize this is a problematic issue, but when it is clear a network is so evil (as the story suggests they are), why are we still peering with them? Who currently provides them with transit? Are they aware of this news story?
If Lycos' make spam not war, and Blue Security's blue frog were ran out of hosting continually, this has been done before to some extent. This network is not in Russia or China, but in the silicon valley.
2. On a different note, why is anyone still accepting their route announcements? I know some among us re-route RBN traffic to protect users. Do you see this as a valid solution for your networks?
What ASNs belong to Atrivo, anyway?
Anyone has more details as to the apparent evilness of Atrivo/Intercage, who can verify these reports? As researched as they are, and my personal experience aside, I'd like some more data before coming to conclusions.
Hostexploit released a document [PDF] on this very network, just now, which is helpful:
http://hostexploit.com/index.php?option=com_content&view=article&id=12&Itemid=15
Gadi.
Unless I'm mis-reading this (or perhaps GBLX read Kreb's story and said
good-bye to Atrivo/Intercage), it looks like they are no longer their
upstream:
http://cidr-report.org/cgi-bin/as-report?as=AS27595&v=4&view=2.0
Marc
SANS ISC
Unless I'm mis-reading this (or perhaps GBLX read Kreb's story and said
good-bye to Atrivo/Intercage), it looks like they are no longer their
upstream:
http://cidr-report.org/cgi-bin/as-report?as=AS27595&v=4&view=2.0
Current peers:
http://cidr-report.org/cgi-bin/as-report?as=AS19151 (just purchased by Host.net)
http://cidr-report.org/cgi-bin/as-report?as=AS26769
This popped up on my radar only because of AS19151 and the BGP Attack
thread mentioning PHAS. Just last night I got phaser@ notifications
about 19151 popping in and out of 22653 (a network I reside deep
inside of) for about a 12 hour span.
Hmmmm,
-Jim P.
Guess I need to look in more detail, but doesn't looking at that show that
CHINANET has about half the rouge network infections of the overall network.
Sounds like if you don't do business with China, putting in a blackhole on
AS4134 (and maybe 4837 and 4812) would knock out the majority of the trouble
sites.
Heck, and maybe I am in the dark ages, I didn't realize google was
providing that much connectivity, why the heck do they have so many infected
machines. Unless I am just reading that stuff wrong, guess I need to take
my time and go through it. I am not in the wholesale bandwidth game
anymore, but I have sure suffered my share of DDoS attacks, and am all for
any intelligent things I can do to help eliminate such future issues..