[108102] in North American Network Operators' Group
Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer
daemon@ATHENA.MIT.EDU (Russell Mitchell)
Wed Sep 24 01:29:30 2008
Date: Tue, 23 Sep 2008 22:29:08 -0700 (PDT)
From: Russell Mitchell <russm2k8@yahoo.com>
To: Joe Greco <jgreco@ns.sol.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
Hello Joe,=0A=0AIf we can't power down the machine, due to evidence loss.=
=A0We can't=A0nullroute the IP, as stated, some malware will delete itself =
or alter itself when=A0Net Access is lost.=0ANow we can filter a single por=
t, in the case of spam, phishing, etc?=0A=0AI'll look further into the JunO=
S.=A0I'm not too familiar with the rules on the Juniper, so I'll take a loo=
k further, and see how to achieve this on a single IP rather then the netwo=
rk.=0A=0AThank you for your time. Have a great day.=0A=A0---=0ARussell Mitc=
hell=0A=0AInterCage, Inc.=0A=0A=0A=0A----- Original Message ----=0AFrom: Jo=
e Greco <jgreco@ns.sol.net>=0ATo: Russell Mitchell <russm2k8@yahoo.com>=0AC=
c: nanog@nanog.org=0ASent: Tuesday, September 23, 2008 8:20:18 PM=0ASubject=
: Re: YAY! Re: Atrivo/Intercage: NO Upstream depeer=0A=0A> Hello All,=3D0A=
=3DA0=3D0AIt seems you all missed the memo.=3D0AAs of about 11PM PST=3D=0A>=
=A0 Last night 09/22/08, Esthost has been ENTIRELY Shutdown. They no longer=
ha=3D=0A> ve ANY Machine on my network.=3D0A=3DA0=3D0AI'm currently starti=
ng to monitor som=3D=0A> e of the public media, such as google, DroneBL, as=
well as several Anti-Mal=3D=0A> ware community websites for abuse.=3D0A=3D=
A0=3D0ABeing that Esthost is now entire=3D=0A> ly GONE, we should not have =
any further issues.=3D0AIn the case that somethin=3D=0A> g=3DA0does arise, =
such as an exploited host, we're currently developing a gam=3D=0A> e plan f=
or=3DA0response to=3DA0the issues.=3D0ATo make the best effort towards co=
=3D=0A> mbatting=3DA0abuse on our network, here's what I have planned so fa=
r for ANY =3D=0A> Type of abuse:=3D0AStep 1,=3DA0Suspend Power to the affec=
ted machine.=3D0AStep 2,=3D=0A>=A0 Call/Email the client whom the affected =
machine is leased to.=3D0AStep 3, Al=3D=0A> low the client=3DA0the option t=
o=3DA0investigate the machine further (Nullroute=3D=0A>=A0 access via KVM)=
=3D0AStep=3DA04, Verify the=3DA0reported content, domain, user, o=3D=0A> r =
exploit=3DA0is patched/eliminated from the machine.=3D0AStep 5,=3DA0Remove =
the =3D=0A> Nullroute. Allow the machine to return to the network.=3D0A=3DA=
0=3D0AAny comments=3D=0A> ? =3D0A=3DA0=3D0AThis is=3DA0the result of a zero=
tolerance policy regarding abuse.=3D=0A>=A0 If it's clear that the server =
owner is the cause of the abusive material e=3D=0A> tc, the client will the=
n be immediately cancelled. No questions.=3DA0=3D0A=3D0A=3D=0A> =3D0AIt see=
ms that this approach will be the best supported by the anti-abuse=3D=0A>=
=A0 communities, so please let me know your input.=3D0A=3D0AThank you for y=
our tim=3D=0A> e. Have a great day.=3D0A=3DA0---=3D0ARussell Mitchell=3D0A=
=3D0AInterCage, Inc.=3D0A=3D0A=3D=0A> =3D0A=3D0A----- Original Message ----=
=3D0AFrom: Paul Wall <pauldotwall@gmail.com>=3D=0A> =3D0ATo: Mark Foo <mark=
..foo.dog@gmail.com>=3D0ACc: nanog@nanog.org=3D0ASent: Tues=3D=0A> day, Sept=
ember 23, 2008 5:46:58 PM=3D0ASubject: Re: YAY! Re: Atrivo/Intercage=3D=0A>=
: NO Upstream depeer=3D0A=3D0AHold the rejoicing, Atrivo is back, this tim=
e on =3D=0A> UnitedLayer.=3D0A=3D0AI'd contact them, only they seem to chan=
ge CTOs every mon=3D=0A> th or two,=3D0Adoes anybody know who's currently i=
n charge?=3D0A=3D0AThank you, a=3D=0A> nd Drive Slow,=3D0APaul Wall=3D0A=3D=
0A=3D0A=A0 =A0 =A0 =0A=0ASpeaking of missing memos...=A0 mailing lists are =
not highly compatible =0Awith HTML or some clients that like to encode list=
mail.=A0 The above is =0Awhat your mail looked like to some people.=0A=0AI=
would suggest a different Step 1.=A0 Instead of killing power, simply=0Ais=
olate the affected machine.=A0 This might be as simple as putting up a=0Afi=
rewall rule or two, if it is simply sending outgoing SMTP spam, or=0Afor mo=
re complex issues, downing the port facing the machine in question.=0AKilli=
ng the power may destroy useful forensic clues about what happened =0Ato th=
e system, and may damage the system.=0A=0A... JG=0A-- =0AJoe Greco - sol.ne=
t Network Services - Milwaukee, WI - http://www.sol.net=0A"We call it the '=
one bite at the apple' rule. Give me one chance [and] then I=0Awon't contac=
t you again." - Direct Marketing Ass'n position on e-mail spam(CNN)=0AWith =
24 million small businesses in the US alone, that's way too many apples.=0A=
=0A=0A=0A
