Washington Post: Atrivo/Intercage, why are we peering with the American RBN?
Hi all. This Washington Post story came out today: http://voices.washingtonpost.com/securityfix/2008/08/report_slams_us_host_as... In it, Brian Krebs discusses the SF Bay Area based Atrivo/Intercage, which has been long named as a bad actor, accused of shuffling abuse reports to different IP addresses and hosting criminals en masse, compared often to RBN in maliciousness. "The American RBN", if you like. 1. I realize this is a problematic issue, but when it is clear a network is so evil (as the story suggests they are), why are we still peering with them? Who currently provides them with transit? Are they aware of this news story? If Lycos' make spam not war, and Blue Security's blue frog were ran out of hosting continually, this has been done before to some extent. This network is not in Russia or China, but in the silicon valley. 2. On a different note, why is anyone still accepting their route announcements? I know some among us re-route RBN traffic to protect users. Do you see this as a valid solution for your networks? What ASNs belong to Atrivo, anyway? Anyone has more details as to the apparent evilness of Atrivo/Intercage, who can verify these reports? As researched as they are, and my personal experience aside, I'd like some more data before coming to conclusions. Hostexploit released a document [PDF] on this very network, just now, which is helpful: http://hostexploit.com/index.php?option=com_content&view=article&id=12&Itemid=15 Gadi.
On Sat, Aug 30, 2008 at 1:32 AM, Gadi Evron <ge@linuxbox.org> wrote:
2. On a different note, why is anyone still accepting their route announcements? I know some among us re-route RBN traffic to protect users. Do you see this as a valid solution for your networks?
What ASNs belong to Atrivo, anyway?
The ASNs you ask about - as per the report - are on pages 4..8 of http://hostexploit.com/downloads/Atrivo%20white%20paper%20082808ac.pdf
Guess I need to look in more detail, but doesn't looking at that show that CHINANET has about half the rouge network infections of the overall network. Sounds like if you don't do business with China, putting in a blackhole on AS4134 (and maybe 4837 and 4812) would knock out the majority of the trouble sites. Heck, and maybe I am in the dark ages, I didn't realize google was providing that much connectivity, why the heck do they have so many infected machines. Unless I am just reading that stuff wrong, guess I need to take my time and go through it. I am not in the wholesale bandwidth game anymore, but I have sure suffered my share of DDoS attacks, and am all for any intelligent things I can do to help eliminate such future issues.. --- Howard Leadmon
-----Original Message----- From: Suresh Ramasubramanian [mailto:ops.lists@gmail.com] Sent: Friday, August 29, 2008 4:38 PM To: Gadi Evron Cc: nanog@merit.edu Subject: Re: Washington Post: Atrivo/Intercage, why are we peering with the American RBN?
On Sat, Aug 30, 2008 at 1:32 AM, Gadi Evron <ge@linuxbox.org> wrote:
2. On a different note, why is anyone still accepting their route announcements? I know some among us re-route RBN traffic to protect users. Do you see this as a valid solution for your networks?
What ASNs belong to Atrivo, anyway?
The ASNs you ask about - as per the report - are on pages 4..8 of http://hostexploit.com/downloads/Atrivo%20white%20paper%20082808ac.pdf
Unless I'm mis-reading this (or perhaps GBLX read Kreb's story and said good-bye to Atrivo/Intercage), it looks like they are no longer their upstream: http://cidr-report.org/cgi-bin/as-report?as=AS27595&v=4&view=2.0 Marc SANS ISC -----Original Message----- From: Gadi Evron [mailto:ge@linuxbox.org] Sent: Friday, August 29, 2008 4:02 PM To: nanog@merit.edu Subject: Washington Post: Atrivo/Intercage, why are we peering with the American RBN? Hi all. This Washington Post story came out today: http://voices.washingtonpost.com/securityfix/2008/08/report_slams_us_host_as _major.html In it, Brian Krebs discusses the SF Bay Area based Atrivo/Intercage, which has been long named as a bad actor, accused of shuffling abuse reports to different IP addresses and hosting criminals en masse, compared often to RBN in maliciousness. "The American RBN", if you like. 1. I realize this is a problematic issue, but when it is clear a network is so evil (as the story suggests they are), why are we still peering with them? Who currently provides them with transit? Are they aware of this news story? If Lycos' make spam not war, and Blue Security's blue frog were ran out of hosting continually, this has been done before to some extent. This network is not in Russia or China, but in the silicon valley. 2. On a different note, why is anyone still accepting their route announcements? I know some among us re-route RBN traffic to protect users. Do you see this as a valid solution for your networks? What ASNs belong to Atrivo, anyway? Anyone has more details as to the apparent evilness of Atrivo/Intercage, who can verify these reports? As researched as they are, and my personal experience aside, I'd like some more data before coming to conclusions. Hostexploit released a document [PDF] on this very network, just now, which is helpful: http://hostexploit.com/index.php?option=com_content&view=article&id=12&Itemi d=15 Gadi.
On Fri, 29 Aug 2008, Marc Sachs wrote:
Unless I'm mis-reading this (or perhaps GBLX read Kreb's story and said good-bye to Atrivo/Intercage), it looks like they are no longer their upstream:
http://cidr-report.org/cgi-bin/as-report?as=AS27595&v=4&view=2.0
Current peers: http://cidr-report.org/cgi-bin/as-report?as=AS19151 (just purchased by Host.net) http://cidr-report.org/cgi-bin/as-report?as=AS26769
Marc SANS ISC
-----Original Message----- From: Gadi Evron [mailto:ge@linuxbox.org] Sent: Friday, August 29, 2008 4:02 PM To: nanog@merit.edu Subject: Washington Post: Atrivo/Intercage, why are we peering with the American RBN?
Hi all.
This Washington Post story came out today: http://voices.washingtonpost.com/securityfix/2008/08/report_slams_us_host_as _major.html
In it, Brian Krebs discusses the SF Bay Area based Atrivo/Intercage, which has been long named as a bad actor, accused of shuffling abuse reports to different IP addresses and hosting criminals en masse, compared often to RBN in maliciousness. "The American RBN", if you like.
1. I realize this is a problematic issue, but when it is clear a network is so evil (as the story suggests they are), why are we still peering with them? Who currently provides them with transit? Are they aware of this news story?
If Lycos' make spam not war, and Blue Security's blue frog were ran out of hosting continually, this has been done before to some extent. This network is not in Russia or China, but in the silicon valley.
2. On a different note, why is anyone still accepting their route announcements? I know some among us re-route RBN traffic to protect users. Do you see this as a valid solution for your networks?
What ASNs belong to Atrivo, anyway?
Anyone has more details as to the apparent evilness of Atrivo/Intercage, who can verify these reports? As researched as they are, and my personal experience aside, I'd like some more data before coming to conclusions.
Hostexploit released a document [PDF] on this very network, just now, which is helpful: http://hostexploit.com/index.php?option=com_content&view=article&id=12&Itemi d=15
Gadi.
On Fri, Aug 29, 2008 at 19:14, Gadi Evron <ge@linuxbox.org> wrote:
On Fri, 29 Aug 2008, Marc Sachs wrote:
Unless I'm mis-reading this (or perhaps GBLX read Kreb's story and said good-bye to Atrivo/Intercage), it looks like they are no longer their upstream:
http://cidr-report.org/cgi-bin/as-report?as=AS27595&v=4&view=2.0
Current peers: http://cidr-report.org/cgi-bin/as-report?as=AS19151 (just purchased by Host.net) http://cidr-report.org/cgi-bin/as-report?as=AS26769
This popped up on my radar only because of AS19151 and the BGP Attack thread mentioning PHAS. Just last night I got phaser@ notifications about 19151 popping in and out of 22653 (a network I reside deep inside of) for about a 12 hour span. Hmmmm, -Jim P.
participants (5)
-
Gadi Evron
-
Howard Leadmon
-
Jim Popovitch
-
Marc Sachs
-
Suresh Ramasubramanian