YAY! Re: Atrivo/Intercage: NO Upstream depeer

Russell Mitchell russm2k8 at yahoo.com
Wed Sep 24 00:29:08 CDT 2008

Hello Joe,

If we can't power down the machine, due to evidence loss. We can't nullroute the IP, as stated, some malware will delete itself or alter itself when Net Access is lost.
Now we can filter a single port, in the case of spam, phishing, etc?

I'll look further into the JunOS. I'm not too familiar with the rules on the Juniper, so I'll take a look further, and see how to achieve this on a single IP rather then the network.

Thank you for your time. Have a great day.
Russell Mitchell

InterCage, Inc.

----- Original Message ----
From: Joe Greco <jgreco at ns.sol.net>
To: Russell Mitchell <russm2k8 at yahoo.com>
Cc: nanog at nanog.org
Sent: Tuesday, September 23, 2008 8:20:18 PM
Subject: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer

> Hello All,=0A=A0=0AIt seems you all missed the memo.=0AAs of about 11PM PST=
>  Last night 09/22/08, Esthost has been ENTIRELY Shutdown. They no longer ha=
> ve ANY Machine on my network.=0A=A0=0AI'm currently starting to monitor som=
> e of the public media, such as google, DroneBL, as well as several Anti-Mal=
> ware community websites for abuse.=0A=A0=0ABeing that Esthost is now entire=
> ly GONE, we should not have any further issues.=0AIn the case that somethin=
> g=A0does arise, such as an exploited host, we're currently developing a gam=
> e plan for=A0response to=A0the issues.=0ATo make the best effort towards co=
> mbatting=A0abuse on our network, here's what I have planned so far for ANY =
> Type of abuse:=0AStep 1,=A0Suspend Power to the affected machine.=0AStep 2,=
>  Call/Email the client whom the affected machine is leased to.=0AStep 3, Al=
> low the client=A0the option to=A0investigate the machine further (Nullroute=
>  access via KVM)=0AStep=A04, Verify the=A0reported content, domain, user, o=
> r exploit=A0is patched/eliminated from the machine.=0AStep 5,=A0Remove the =
> Nullroute. Allow the machine to return to the network.=0A=A0=0AAny comments=
> ? =0A=A0=0AThis is=A0the result of a zero tolerance policy regarding abuse.=
>  If it's clear that the server owner is the cause of the abusive material e=
> tc, the client will then be immediately cancelled. No questions.=A0=0A=0A=
> =0AIt seems that this approach will be the best supported by the anti-abuse=
>  communities, so please let me know your input.=0A=0AThank you for your tim=
> e. Have a great day.=0A=A0---=0ARussell Mitchell=0A=0AInterCage, Inc.=0A=0A=
> =0A=0A----- Original Message ----=0AFrom: Paul Wall <pauldotwall at gmail.com>=
> =0ATo: Mark Foo <mark..foo.dog at gmail.com>=0ACc: nanog at nanog.org=0ASent: Tues=
> day, September 23, 2008 5:46:58 PM=0ASubject: Re: YAY! Re: Atrivo/Intercage=
> : NO Upstream depeer=0A=0AHold the rejoicing, Atrivo is back, this time on =
> UnitedLayer.=0A=0AI'd contact them, only they seem to change CTOs every mon=
> th or two,=0Adoes anybody know who's currently in charge?=0A=0AThank you, a=
> nd Drive Slow,=0APaul Wall=0A=0A=0A      

Speaking of missing memos...  mailing lists are not highly compatible 
with HTML or some clients that like to encode list mail.  The above is 
what your mail looked like to some people.

I would suggest a different Step 1.  Instead of killing power, simply
isolate the affected machine.  This might be as simple as putting up a
firewall rule or two, if it is simply sending outgoing SMTP spam, or
for more complex issues, downing the port facing the machine in question.
Killing the power may destroy useful forensic clues about what happened 
to the system, and may damage the system.

... JG
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.


More information about the NANOG mailing list