Feeds

Net pariah Intercage back among the dead

No more Global Crossing

SANS - Survey on application security programs

Updated After returning from the dead two days ago, network provider and internet pariah Intercage has once again been knocked offline.

Websites served by Intercage started to become inaccessible on Wednesday afternoon after backbone provider Global Crossing began filtering internet protocol addresses assigned to the California-based company. The move, which largely negated the decision by transit provider UnitedLayer to offer upstream service to Intercage, blocked most of the net provider's traffic. Because of peering agreements in place, about 25 percent of the websites it hosted were still accessible, said Aaron Hughes, UnitedLayer's head of operations.

"It has come to our attention that United Layer is now routing traffic for Intercage (AS 27595) over the Global Crossing network," Andrew Ramsey, Global Crossing's manager of information security operations, wrote in an email sent to UnitedLayer on Wednesday morning. "Intercage was removed from our network for violating our acceptable use policy, and is not welcome to return under any circumstance."

UnitedLayer initially declined Ramsey's request to stop routing Inetercage's net traffic over Global Crossing's network. But by Thursday afternoon, after receiving 28 confirmed violations of its acceptible usage policy, UnitedLayer stopped anouncing any routes from Intercage, a move that completely severed its connection to the outside world.

"To the extent that things were quote unquote infected, from our perspective they were trying legitimately it seemed to reform," UnitedLayer COO Richard Donaldson told The Register. "I think there was just too much to do. In light of that, it was safer to keep them off."

Hughes said Intercage employees in many instances responded to the complaints by promptly removing the abusive sites, but that over time, after forwarding complaints, "we continued to get confirmation that there were [abusive] hosts still up."

Intercage and Global Crossing representatives didn't respond to requests for comment at time of writing.

Over the past month, Intercage has been struggling for survival following reports that it hosts a large concentration of sites engaged in phishing, spam, and malware. After being dumped by a succession of transit providers and briefly going dark, UnitedLayer emerged as Intercage's white knight, agreeing to provide it service as long as it abides by UnitedLayer's acceptable use policy.

For years, security professionals have widely criticized Intercage for carrying a large amount of abusive traffic over its network. Earlier this month, they ratcheted up the pressure on upstream providers of Intercage after researchers said a random sampling of 2,600 Intercage addresses revealed 7,340 malicious web links, 910 infected websites, 310 malicious binaries, and 113 botnet command and control servers.

After growing increasingly isolated, Emil Kacperski earlier this week said he was severing all ties with Esthost, which he said was responsible for 25 percent to 50 percent of Intercage's revenue. He also pledged to overhaul his abuse reporting system so employees could more quickly disconnect customers engaging in malicious activity. Security professionals have remained skeptical, as the Global Crossing move would suggest.

But it's questionable exactly how effective this method of ostracization is. Within hours of being dumped by Intercage, Esthost, and its sister company, Estdomains, were back online through a patchwork of different hosts that have changed over time. At time of writing, Esthost appeared to be sitting in Cernel.net IP space, based on trace route results and border gateway protocol table information.

What's more, a trace route of Estdomains shows the registrar is now using the services of Petersberg Transit Telecom and ReTN net. That's right, Global Crossing, and a variety of other big name providers, are accepting Estdomains and Esthost IP allocation prefixes.

We contacted Global Crossing a second time but have yet to receive a response.

This endless game of Whackamole is one of the many reasons we've opined that the current take-down process is highly imperfect.

We're not the only ones to say so.

"Esthost is traversing Global Crossing's network as we speak and everybody else's, for that matter," Donaldson said. "All you've done is force Esthost go more underground and become less visible, less, containable and less capable of even being approached by law enforcement. So the community can certainly cheer that they've in essence targeted this company, but the root of the problem has not been fixed." ®

(This story was updated to correct the identity of the company providing IP space to Esthost. It is Cernel.net, not GoDaddy, as incorrectly reported previously. The update also includes additional details about UnitedLayer suspending service to Intercage.)

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.