NANOG 44 (Los Angeles): ISP Security BOF

Warren Kumari warren at
Fri Oct 3 18:37:33 UTC 2008

On Oct 3, 2008, at 10:56 AM, Christopher Morrow wrote:

> I would love (though I'll miss it in person) to see a discussion,
> structured, of why the Intercage/Atrivo situation got to where it was.

While I realize that this is not quite what you asked for, Esthost has  
requested some time on the agenda to be able to tell their side of the  
story... After some deliberations we have decided to give them 10  
minutes for a presentation and 10 minutes for questions and answers[0].

We would also welcome any talks presenting the other viewpoint, but  
ask that they be kept civil and factual (as we have requested from  

[0]: We have not listed this talk yet as we are waiting for a title  
and abstract....

> I believe that in many (this one in particular) cases the upstream
> networks do not:
> 1) get
> 2) have
> relevant information in a useful format about abuse/use of their
> downstream networks. When I was at AS701 there were consistently folks
> who'd say this or that customer is obviously bad, why hadn't we
> disconnected them? When looking through abuse tickets for issues we
> could bring to management as ammo for disconnection often a majority
> of complaints related to the customer in question were not complete,
> didn't have enough information, didn't have ANY information in them.
> How can we, as a community get better at providing complete and useful
> information (ip, timestamp+timezone, act-that-caused-ire)
> How can we, as a community, get better at tying together the bits and
> pieces that are one issue? (atrivo/intercage/ukrtelecom/hostfresh)
> As an interesting aside, there were many occasions of the last 4 years
> where some horrible virus/trojan/malware thing got rolling on the
> internets, tracking it back was fairly simple (for the C&C or
> distribution site) to AS27595... often folks reporting the issue would
> say things like:
> "Oh, that's ukrtelecom, they are in the Ukraine, too bad we can't get
> hands on the server/router/code/subpoena them..."
> "Oh, that's something living in hostfresh, in ASPAC, gosh it'd be nice
> if the FBI/HTC-group could get there and give the provider some
> trouble..."
> oddly in many/all of these cases the IP space might have tracked back
> to somewhere not ARIN related, but an actual traceroute ended inside
> AS27595. So, tying together these incidents with more complete
> information would have potentially given the upstreams, or even 27595
> if they are to be believed as being in the right and just framed by
> their bad customers (not my belief, but...), more actionable
> intelligence about their customer(s) and the ability to make an
> informed decision (at a management/legal level).
> -Chris
> (thanks)
> This is a set of topics I'd love to see handled in the SP Security  
> BOF.
> On Mon, Sep 29, 2008 at 11:12 AM, Warren Kumari <warren at>  
> wrote:
>> Hi all,
>> NANOG 44 is fast approaching and once again we are looking for  
>> topics for
>> the ISP Security BOF.
>> If you have any security related topics that you would like to hear  
>> about,
>> not hear about, or (best of all) speak about, please let me know as  
>> soon as
>> possible...
>> This is your chance to air your views --- slides are welcome but not
>> required.
>> Danny McPherson and I are going to be moderating this year...
>> W

More information about the NANOG mailing list