Scammer-Heavy U.S. ISP Grows More Isolated
Last week, Security Fix published an analysis of Atrivo, a California based Internet service provider, also known as Intercage, that has proven to be a virtual magnet for cyber-criminal operations. Since that time, Atrivo's biggest network backbone provider decided it could no longer support the company, and stopped offering it direct connectivity.
I first got wind of this change while reading a post on the NANOG mailing list, which caters to professionals employed by ISPs and various network providers. Marcus Sachs, director of the SANS Internet Storm Center, had said it looked like Global Crossing had stopped handling long-haul Internet traffic for Atrivo/Intercage within hours after our story was published. I followed up with Marc, but he was unable to produce any conclusive data showing the change.
Fast forward to today, and with the help of Jose Nazario at Arbor Networks, I was able to pull together a view of what happened. Global Crossing has in fact "de-peered" from Atrivo/Intercage, so it is no longer providing direct Internet connectivity.
I've put together short QuickTime movie that shows this de-peering in action, starting on Aug 27, the day our story on Atrivo/Intercage first ran. If you right click on the movie and save it to your hard drive before viewing it, you can actually see the route announcements for each new graphic spelled out at the top of the frame.
To better understand the animation, Atrivo/Intercage is represented by the number 27595 in the center of the graphic, with red semi-circles on the top and bottom. Global Crossing is represented by the number 3549, which you'll find directly below 27595. As the video progresses, you can see all of the routes that directly connect Atrivo and Global Crossing being peeled away like layers of an onion and reconnected to other providers.
Global Crossing did not respond to a request for comment.
Now, Atrivo/Intercage stands directly connected to the larger Internet by just two main upstream providers: Costa Mesa, Calif. based Bandcon (as represented by the number 26769 at the end of the video, and WVFiber out of Boca Raton, Fla. (WVFiber is the network at the top of the image, number 19151).
Update, Sunday, Sept. 7, 8:02 p.m.: I spoke today with Randy Epstein, president of WVFiber and co-founder of Host.net, which acquired WVFiber just six weeks ago. Epstein said after reading reports from Security Fix, Hostexploit.com, Spamhaus.org and others about cyber crime activities at Atrivo, WVFiber has decided to drop Atrivo as a customer. WVFiber plans to stop providing upstream connectivity to Atrivo by Wednesday or Thursday at the latest, Epstein said. That would leave Atrivo with just a single upstream provider -- Bandcon.
Update, Sunday, Sept. 7, 9:15 p.m.: nLayer Communications, a company that owns a significant slice of the Internet addresses used by Atrivo/Intercage, is demanding that Atrivo vacate the space and return the addresses by Sept 30.
"Atrivo/Intercage has not been a direct customer of nLayer Communications since December 2007, but they still have some legacy reallocations from our IP space," wrote nLayer co-founder Richard A. Steenbergen, in an e-mail to Security Fix. "Since they are no longer a customer, we require that they return our non-portable IP space, and have given them a deadline of September 30th to do so. If the IP space is not returned by that point, we will follow standard procedure to reclaim it, including null routing the space, and sending cease and desist letters to any network who still transits it without our permission."
According to Steenbergen, Atrivo/Intercage must return roughly 7,400 IP addresses.
Update, Monday, Sept 8, 12:00 p.m. ET: Todd Braning, vice president of BandCon, just e-mailed me to say that BandCon also has stopped providing connectivity to Atrivo/Intercage. From his e-mail: "Intercage, a new customer, was connected to the BandCon Network for total of about a week. Once we recognized and issue with Intercage, BandCon took immediate action and terminated services. We are no longer providing services to AS27595. This can be confirmed here."
WVFiber is the only company still providing direct connectivity to Atrivo, and as stated before they plan to pull the plug by Thursday at the latest, so it appears that Atrivo will have to find another network provider or it will very soon cease to be reachable on the Internet.
September 5, 2008; 10:44 AM ET
Categories: Cyber Justice , Fraud , From the Bunker
Save & Share: Previous: Number of Bot-Infected PCs Skyrockets
Next: A Superlative Scam and Spam Site Registrar
Posted by: William | September 5, 2008 12:33 PM | Report abuse
Posted by: MysteryFCM | September 6, 2008 11:43 AM | Report abuse
Posted by: SeanC | September 7, 2008 4:34 PM | Report abuse
Posted by: anonymous2323 | September 8, 2008 4:44 PM | Report abuse
Posted by: Dmitry on behalf of Rustelekom | September 8, 2008 7:35 PM | Report abuse
Posted by: Finaly. | September 9, 2008 4:03 PM | Report abuse
The comments to this entry are closed.