[nsp-sec] Hat check: GHOSTnet, Digital Energy Technologies, Colocation America Corp, etc
Damian Menscher
damian at google.com
Thu May 5 01:43:26 EDT 2016
We've seen a fair amount of abuse from several hosting providers... often
using large numbers of IPs spread across the provider's space in hopes of
getting around per-IP abuse detection. When we see this sort of thing from
Amazon EC2, we can trust their abuse team to take action (albeit slowly).
But for other hosting providers, the abuse is such a large fraction of
their traffic that we sometimes suspect the provider is complicit.
Some examples I'm curious about:
AS 12586 GHOSTnet: Lots of IPs sourcing abuse, but no web presence (
http://www.ghostnet.de/) for people to buy hosting. Strange?
AS 61440: Digital Energy Technologies (http://digitalenergytech.net/) hosts
VPS at a broad scale.
AS 21769: Colocation America Corp (http://www.colocationamerica.com/) was
found issuing what appears to be fraudulent LOAs. They also directly
source a huge amount of abuse.
AS 36352: ColoCrossing: I suspect they're legitimate, but they appear to
offer customers a /24 of space at a time, which leads to significant abuse
AS 46261: QuickPacket (http://www.quickpacket.com/): another case of giving
each customer large amounts of IP-space, which can then be used for abuse.
I can easily come up with more examples. I'm curious whether these
providers are evil or just have bad customers. I'd also appreciate
suggested responses when a provider issues an abusive customer several /24s
(is this just something we need to handle ourselves, or should there be a
broader community response like a shared database of the IP allocation
practices of various ASNs).
Damian
--
Damian Menscher :: Security Reliability Engineer :: Google :: AS15169
More information about the nsp-security
mailing list