[nsp-sec] intercage/atrivo

David Freedman david.freedman at uk.clara.net
Tue Sep 16 20:03:48 EDT 2008 

So really, for me the logic is really screaming out with this one:


1. He has had a number of these complaints

2. He has been the center of attention recently (nanog et al)

3. He has become upstream-less as a result.

Assuming his claims of innocence, the guy is running a business, so at the very least, in order to *retain* customers and encourage more to come, one would expect him *at the very least* 
to have made:

1. A thorough investigation of the issues at hand

2. Various policy / AUP changes

3. Stricter vetting of customers 

4. Made assurances to his existing customer that their service will not be affected

5. Network security, IDS/IDP/Anomaly detection/Quick suspension .... etc..




So in short, do the lack of these things mean he either:

1. Doesn't care because he doesn't care about his business

2. Doesn't care because he is payrolled by the very people we stand against

3. Is a blathering idiot 


Which of these do you think is more likely?



------------------------------------------------
David Freedman
Group Network Engineering 
Claranet Limited
http://www.clara.net



-----Original Message-----
From: nsp-security-bounces at puck.nether.net on behalf of Chris Morrow
Sent: Wed 9/17/2008 00:40
To: Jose Nazario
Cc: nsp-security NSP; Darren Grabowski
Subject: Re: [nsp-sec] intercage/atrivo
 
----------- nsp-security Confidential --------

So... I think some/a-lot of the problem with atrivo (Emil) is that he 
plays the dumb-dupe very well: "Oh, another one of my customers is being 
abusive? Spreading malware? Involved with ZLob? Oh, I'll terminate them 
right now!"

Which most often in the past has meant:

ifconfig eth0 1.2.3.4 down
ifconfig eth0 1.2.3.5 up

"Ok, all terminated, wow thanks for the note!"

If he's not aware that his AS and the customers of his AS have been 
involved with a very large and ongoing set of malware and abuse issues 
he's either really, really, really dumb or deaf/blind/dumb/fingerless.

Given the last 4+ years of abuse centered around Atrivo/Intercage I just 
can't believe that he's completely un-awares of the situation.

Joe St Suaver from u-Oregon may have some more/better/detailed information 
on Atrivo... Spamhaus (despite my normal 'f-spamhaus' attitude) really has 
a decent trove as well.

-Chris

On Tue, 16 Sep 2008, Jose Nazario wrote:

> ----------- nsp-security Confidential --------
>
> On Tue, 16 Sep 2008, Darren Grabowski wrote:
>
>> Does anyone have anything active on Atrivo?  I've been told that "he is 
>> innocent, this is a bunch of heresy, 95% of what is said is not true, it's 
>> all the Russians" and stuff like that.
>
> very little in the past 24h.
>
> ATLAS DETAILED REPORT: 27595
>
> Generated: Tue Sep 16 23:12:18 2008 UTC
> Covers 24 hour time period through now.
>
> DENIAL OF SERVICE
> OBSERVED INBOUND ATTACKS
> Based on actual alerts gathered in our Internet statistics project.
> Start, End, Dest CIDR, Dest ASN, Dest CC, Max BPS, Max PPS
> 1221434509, 1221435786, "216.255.184.150/32", "27595", US, 163104, 51
> 1221356595, 1221434466, "216.255.184.150/32", "27595", US, 1944056, 312
>
> MALICIOUS CLIENTS
> Scans
> Based on ATLAS honeypot sensors.
> IP, Cumulative Bytes
> 67.210.4.138, 21508.0
> 67.210.3.106, 18957.0
> 67.210.4.162, 14695.0
> 67.210.3.178, 11526.0
> 67.210.3.2, 10569.0
> 67.210.4.178, 10315.0
> 67.210.3.26, 9761.0
> 67.210.3.130, 8890.0
> 67.210.3.34, 8158.0
> 216.255.176.186, 7980.0
> 67.210.3.10, 7863.0
> 67.210.3.98, 7157.0
> 67.210.3.122, 7010.0
> 67.210.4.186, 6715.0
> 67.210.3.218, 6081.0
> 67.210.3.50, 3945.0
> 67.210.3.42, 3874.0
> 67.210.4.50, 3783.0
> 67.210.4.82, 3335.0
> 67.210.3.154, 3297.0
> 67.210.3.114, 3292.0
> 67.210.3.194, 3211.0
> 67.210.4.58, 3163.0
> 67.210.4.170, 2939.0
> 67.210.3.18, 2831.0
> 67.210.4.154, 2219.0
> 67.210.3.66, 2045.0
> 67.210.4.90, 1806.0
> 67.210.4.42, 1679.0
> 67.210.3.186, 1222.0
> 67.210.3.90, 975.0
> 67.210.3.202, 826.0
> 67.210.3.58, 724.0
> 67.210.4.66, 645.0
> 67.210.4.98, 576.0
> 67.210.4.74, 432.0
> 69.50.180.34, 384.0
> other, 0
>
> MALICIOUS SERVERS
> Malicious Links
> URLs contacted by malware during automated analysis. Timestamp, CC, ASN, IP, 
> URL
> 1221537600, CY, 27595, 69.50.175.194, 
> "http://69.50.175.194/ca/count.php?flsh=0&pion=0&p=84626410&a=0003"
> 1221537600, US, 27595, 64.28.181.230, "http://64.28.181.230/path.txt"
>
>
>
> -------------------------------------------------------------
> jose nazario, ph.d.     <jose at arbor.net>
> security researcher, office of the CTO,  arbor networks
> v: (734) 821 1427 	      http://asert.arbornetworks.com/
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security 
> counter-measures.
> _______________________________________________
>


_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net

https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security counter-measures.
_______________________________________________

More information about the nsp-security mailing list