I work for a MSSP (Managed Security Services Provider) that provides some of these services including vulnerability scanning and such. If it's a legitimate provider doing work for customers, you should never get a complaint about their activities. Before we do any kind of scan, we have a contract in place with the customer and include the IP(s) we'll be scanning from and the range of IPs we'll be scanning (assuming this is an external scan). If they're not getting permission from customers first, they are almost certainly breaking laws by scanning systems they don't have permission to, and I wouldn't host them. Assuming you have a legal department, just make sure that you put something that says this type of activity will only be permitted when the target has agreed to the scan in advance. If you get some complaints, investigate, and if they're breaking the contract, turf them. On Mon, 11 Sep 2017 at 16:01 james machado <hvgeekwtrvl@gmail.com> wrote:
On Mon, Sep 11, 2017 at 3:40 PM, Sean Pedersen <spedersen.lists@gmail.com> wrote:
We were recently approached by a company that does security consulting. Some of the functions they perform include discovery scans, penetration testing, bulk e-mail generation (phishing, malware, etc.), hosting fake botnets - basically, they'd be generating a lot of bad network traffic. Targeted at specific clients/customers, but still bad. As an ISP, this is new territory for us and there are some concerns about potential impact, abuse reports, reputation, authorization to perform such tests, etc.
Does anyone have experience in this area that would be willing to offer advice?
From a customer point of view:
We have written agreements with our vendors on who they can and can not send this traffic from, where exactly it is coming from and what type of traffic it will be. One reason our vendor does this is to not get on black hole/spam lists or to cause their ISP issues, as well as having proof that they are allowed to send specific traffic to specific addresses for a specific time period. The test managers then know what to expect and to head off abuse notifications after detection of the specific traffic. We, also, use this traffic to test other vendors we might have and only after detection we will have white lists or black lists put in place as warranted.
I would expect the company in question to be able to provide documentation that could track any specific traffic back to an engagement that has the approval of their customer. If they have been around for a bit they should have a track record and may have current IP space that could be vetted to see what condition it is in. Are they leaving it or adding too it. If they are leaving their current space then find out why.
James