Net pariah Intercage back among the dead
No more Global Crossing
Updated After returning from the dead two days ago, network provider and internet pariah Intercage has once again been knocked offline.
Websites served by Intercage started to become inaccessible on Wednesday afternoon after backbone provider Global Crossing began filtering internet protocol addresses assigned to the California-based company. The move, which largely negated the decision by transit provider UnitedLayer to offer upstream service to Intercage, blocked most of the net provider's traffic. Because of peering agreements in place, about 25 percent of the websites it hosted were still accessible, said Aaron Hughes, UnitedLayer's head of operations.
"It has come to our attention that United Layer is now routing traffic for Intercage (AS 27595) over the Global Crossing network," Andrew Ramsey, Global Crossing's manager of information security operations, wrote in an email sent to UnitedLayer on Wednesday morning. "Intercage was removed from our network for violating our acceptable use policy, and is not welcome to return under any circumstance."
UnitedLayer initially declined Ramsey's request to stop routing Inetercage's net traffic over Global Crossing's network. But by Thursday afternoon, after receiving 28 confirmed violations of its acceptible usage policy, UnitedLayer stopped anouncing any routes from Intercage, a move that completely severed its connection to the outside world.
"To the extent that things were quote unquote infected, from our perspective they were trying legitimately it seemed to reform," UnitedLayer COO Richard Donaldson told The Register. "I think there was just too much to do. In light of that, it was safer to keep them off."
Hughes said Intercage employees in many instances responded to the complaints by promptly removing the abusive sites, but that over time, after forwarding complaints, "we continued to get confirmation that there were [abusive] hosts still up."
Intercage and Global Crossing representatives didn't respond to requests for comment at time of writing.
Over the past month, Intercage has been struggling for survival following reports that it hosts a large concentration of sites engaged in phishing, spam, and malware. After being dumped by a succession of transit providers and briefly going dark, UnitedLayer emerged as Intercage's white knight, agreeing to provide it service as long as it abides by UnitedLayer's acceptable use policy.
For years, security professionals have widely criticized Intercage for carrying a large amount of abusive traffic over its network. Earlier this month, they ratcheted up the pressure on upstream providers of Intercage after researchers said a random sampling of 2,600 Intercage addresses revealed 7,340 malicious web links, 910 infected websites, 310 malicious binaries, and 113 botnet command and control servers.
After growing increasingly isolated, Emil Kacperski earlier this week said he was severing all ties with Esthost, which he said was responsible for 25 percent to 50 percent of Intercage's revenue. He also pledged to overhaul his abuse reporting system so employees could more quickly disconnect customers engaging in malicious activity. Security professionals have remained skeptical, as the Global Crossing move would suggest.
But it's questionable exactly how effective this method of ostracization is. Within hours of being dumped by Intercage, Esthost, and its sister company, Estdomains, were back online through a patchwork of different hosts that have changed over time. At time of writing, Esthost appeared to be sitting in Cernel.net IP space, based on trace route results and border gateway protocol table information.
What's more, a trace route of Estdomains shows the registrar is now using the services of Petersberg Transit Telecom and ReTN net. That's right, Global Crossing, and a variety of other big name providers, are accepting Estdomains and Esthost IP allocation prefixes.
We contacted Global Crossing a second time but have yet to receive a response.
This endless game of Whackamole is one of the many reasons we've opined that the current take-down process is highly imperfect.
We're not the only ones to say so.
"Esthost is traversing Global Crossing's network as we speak and everybody else's, for that matter," Donaldson said. "All you've done is force Esthost go more underground and become less visible, less, containable and less capable of even being approached by law enforcement. So the community can certainly cheer that they've in essence targeted this company, but the root of the problem has not been fixed." ®
(This story was updated to correct the identity of the company providing IP space to Esthost. It is Cernel.net, not GoDaddy, as incorrectly reported previously. The update also includes additional details about UnitedLayer suspending service to Intercage.)