Internet access for security consultants - pen tests, attack traffic, bulk e-mail, etc.

Mon Sep 11 23:00:10 UTC 2017

On Mon, Sep 11, 2017 at 3:40 PM, Sean Pedersen <spedersen.lists at gmail.com>
wrote:

> We were recently approached by a company that does security consulting.
> Some
> of the functions they perform include discovery scans, penetration testing,
> bulk e-mail generation (phishing, malware, etc.), hosting fake botnets -
> basically, they'd be generating a lot of bad network traffic. Targeted at
> specific clients/customers, but still bad. As an ISP, this is new territory
> for us and there are some concerns about potential impact, abuse reports,
> reputation, authorization to perform such tests, etc.
>
>
>
> Does anyone have experience in this area that would be willing to offer
> advice?
>
>
> From a customer point of view:

We have written agreements with our vendors on who they can and can not
send this traffic from, where exactly it is coming from and what type of
traffic it will be.  One reason our vendor does this is to not get on black
hole/spam lists or to cause their ISP issues, as well as having proof that
they are allowed to send specific traffic to specific addresses for a
specific time period.  The test managers then know what to expect and to
head off abuse notifications after detection of the specific traffic.  We,
also, use this traffic to test other vendors we might have and only after
detection we will have white lists or black lists put in place as warranted.

I would expect the company in question to be able to provide documentation
that could track any specific traffic back to an engagement that has the
approval of their customer.  If they have been around for a bit they should
have a track record and may have current IP space that could be vetted to
see what condition it is in.  Are they leaving it or adding too it.  If
they are leaving their current space then find out why.

James