Feeds

Net pariah Intercage back among the dead

No more Global Crossing

The essential guide to IT transformation

Updated After returning from the dead two days ago, network provider and internet pariah Intercage has once again been knocked offline.

Websites served by Intercage started to become inaccessible on Wednesday afternoon after backbone provider Global Crossing began filtering internet protocol addresses assigned to the California-based company. The move, which largely negated the decision by transit provider UnitedLayer to offer upstream service to Intercage, blocked most of the net provider's traffic. Because of peering agreements in place, about 25 percent of the websites it hosted were still accessible, said Aaron Hughes, UnitedLayer's head of operations.

"It has come to our attention that United Layer is now routing traffic for Intercage (AS 27595) over the Global Crossing network," Andrew Ramsey, Global Crossing's manager of information security operations, wrote in an email sent to UnitedLayer on Wednesday morning. "Intercage was removed from our network for violating our acceptable use policy, and is not welcome to return under any circumstance."

UnitedLayer initially declined Ramsey's request to stop routing Inetercage's net traffic over Global Crossing's network. But by Thursday afternoon, after receiving 28 confirmed violations of its acceptible usage policy, UnitedLayer stopped anouncing any routes from Intercage, a move that completely severed its connection to the outside world.

"To the extent that things were quote unquote infected, from our perspective they were trying legitimately it seemed to reform," UnitedLayer COO Richard Donaldson told The Register. "I think there was just too much to do. In light of that, it was safer to keep them off."

Hughes said Intercage employees in many instances responded to the complaints by promptly removing the abusive sites, but that over time, after forwarding complaints, "we continued to get confirmation that there were [abusive] hosts still up."

Intercage and Global Crossing representatives didn't respond to requests for comment at time of writing.

Over the past month, Intercage has been struggling for survival following reports that it hosts a large concentration of sites engaged in phishing, spam, and malware. After being dumped by a succession of transit providers and briefly going dark, UnitedLayer emerged as Intercage's white knight, agreeing to provide it service as long as it abides by UnitedLayer's acceptable use policy.

For years, security professionals have widely criticized Intercage for carrying a large amount of abusive traffic over its network. Earlier this month, they ratcheted up the pressure on upstream providers of Intercage after researchers said a random sampling of 2,600 Intercage addresses revealed 7,340 malicious web links, 910 infected websites, 310 malicious binaries, and 113 botnet command and control servers.

After growing increasingly isolated, Emil Kacperski earlier this week said he was severing all ties with Esthost, which he said was responsible for 25 percent to 50 percent of Intercage's revenue. He also pledged to overhaul his abuse reporting system so employees could more quickly disconnect customers engaging in malicious activity. Security professionals have remained skeptical, as the Global Crossing move would suggest.

But it's questionable exactly how effective this method of ostracization is. Within hours of being dumped by Intercage, Esthost, and its sister company, Estdomains, were back online through a patchwork of different hosts that have changed over time. At time of writing, Esthost appeared to be sitting in Cernel.net IP space, based on trace route results and border gateway protocol table information.

What's more, a trace route of Estdomains shows the registrar is now using the services of Petersberg Transit Telecom and ReTN net. That's right, Global Crossing, and a variety of other big name providers, are accepting Estdomains and Esthost IP allocation prefixes.

We contacted Global Crossing a second time but have yet to receive a response.

This endless game of Whackamole is one of the many reasons we've opined that the current take-down process is highly imperfect.

We're not the only ones to say so.

"Esthost is traversing Global Crossing's network as we speak and everybody else's, for that matter," Donaldson said. "All you've done is force Esthost go more underground and become less visible, less, containable and less capable of even being approached by law enforcement. So the community can certainly cheer that they've in essence targeted this company, but the root of the problem has not been fixed." ®

(This story was updated to correct the identity of the company providing IP space to Esthost. It is Cernel.net, not GoDaddy, as incorrectly reported previously. The update also includes additional details about UnitedLayer suspending service to Intercage.)

Next gen security for virtualised datacentres

More from The Register

next story
Rupert Murdoch says Google is worse than the NSA
Mr Burns vs. The Chocolate Factory, round three!
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Germany 'accidentally' snooped on John Kerry and Hillary Clinton
Dragnet surveillance picks up EVERYTHING, USA, m'kay?
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
Think crypto hides you from spooks on Facebook? THINK AGAIN
Traffic fingerprints reveal all, say boffins
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.