On Mon, Sep 11, 2017 at 3:40 PM, Sean Pedersen <spedersen.lists@gmail.com> wrote:
We were recently approached by a company that does security consulting. Some of the functions they perform include discovery scans, penetration testing, bulk e-mail generation (phishing, malware, etc.), hosting fake botnets - basically, they'd be generating a lot of bad network traffic. Targeted at specific clients/customers, but still bad. As an ISP, this is new territory for us and there are some concerns about potential impact, abuse reports, reputation, authorization to perform such tests, etc.
Does anyone have experience in this area that would be willing to offer advice?
From a customer point of view:
We have written agreements with our vendors on who they can and can not send this traffic from, where exactly it is coming from and what type of traffic it will be. One reason our vendor does this is to not get on black hole/spam lists or to cause their ISP issues, as well as having proof that they are allowed to send specific traffic to specific addresses for a specific time period. The test managers then know what to expect and to head off abuse notifications after detection of the specific traffic. We, also, use this traffic to test other vendors we might have and only after detection we will have white lists or black lists put in place as warranted. I would expect the company in question to be able to provide documentation that could track any specific traffic back to an engagement that has the approval of their customer. If they have been around for a bit they should have a track record and may have current IP space that could be vetted to see what condition it is in. Are they leaving it or adding too it. If they are leaving their current space then find out why. James