InterCage, Inc. (NOT Atrivo)

Christopher Morrow morrowc.lists at gmail.com
Fri Sep 12 16:05:35 CDT 2008


On 9/12/08, Steve Gibbard <scg at gibbard.org> wrote:

>  It's probably correct that any individual player in this industry not under
> other regulatory restrictions can refuse to do business with somebody they
> don't like, sometimes.  For the industry as a whole to make a group decision
> to not do business with somebody who may be a competitor seems more legally
> risky.  Engaging in that sort of thing without getting some good legal
> advice first would certainly make me nervous.

the perception of collusion is interesting, I don't necessarily think
it's happening here, but ianal (as patrick would say). What is
happening here is that instead of a bunch of random 'hey something
wierd is going on with that host over yonder' or 'wow that network has
a lot of bad stuff on it today' someone succinctly put down in an open
and public place the list of things that is going on and references to
how bad it may actually be. So, instead of (for one example)
GBLX-abuse getting onsey/twosy 'crazy guy' tickets/emails they have a
chance to now correlate their internal info against [email protected] and other
things and take some action.

I don't know that that's the case with GBLX in this case, but I know
at previous places of employment having lots of odd ranty emails never
really helped. Having succint collections of info about a problem
would make it simpler to address with management/bean-counters/lawyers
and propose reasonable action(s) against the offendors.

>
>  Since this appears to be somebody who is contracting with lots of US

well, at least 2, only one 'large'... other smaller folks may have been:
1) too busy fighting their own fires to worry about someone paying
ontime and (possibly) addressing [email protected] issues in a 'timely' fashion.
(from the [email protected] queue it's not necessarily easy to tell that badip1
shifted to newip2 when you sent the complaint to the downstream,
especially if you are already overwelmed with other fires)

2) too interested in the bills getting paid

3) unaware for a variety of reasons who their new customer really is/was

> now; think later," phase.  Should what they're doing be a law enforcement
> issue, rather than a "they've got cooties" issue?

with this particular network I've wondered this same thing for 4+
years. They were most obviously doing very bad things for a long
period of time, at no time was there an reasonable LEA action taken
that was evident form the outside. It's possible that with the forest
of issues LEA is dealing with on the Intertubes they just aren't
putting 1+1+2 together often enough and realizing there is a fairly
clear pattern of criminal activity eminating from the same general
place.

For instance, I've corrected many folks on many occasions who've said:
"Oh that badness is coming from the Ukraine... see the whois' info
here:"

organisation:   ORG-UL25-RIPE
org-name:       UkrTeleGroup Ltd.
org-type:       LIR
address:        UkrTeleGroup Ltd.
                Mechnikova 58/5
                65029 Odessa
                Ukraine

Really? why does it traceroute to SFO then and die there on a host??
Why is it routed to a leaf AS in the US with a presence only in a
single facility (200 Paul)?? I know of only a few folks who've put all
of the pieces together in a reasonable package, and I don't think they
can hand it all over (especially since it's not much good 2-3 weeks
after the package is gathered due to the shifting sands of tubage) to
LEA without it falling into the 'agent of LEA' part of evidence
gathering :(

Plus, LEA has to put priority on this sort of thing, and with so much
going on I get the feeling focus is hard to accomplish...

(I'd love to be proven wrong of course..)

-Chris




More information about the NANOG mailing list