Dataplane_Jan_18_Webinar Operations, Signal Data, and Insights

with John Kristoff from

Wednesday, January 18
Noon ET
Presentation Slides

Description, founded in 2016 and recently incorporated as a U.S.501(c)(3) non-profit, has constructed one of the world's most unique and diverse distributed Internet activity sensor networks. 

They developed a set of custom network listeners starting with SSH to monitor and measure unsolicited Internet communications. The network spans six continents and more than sixty countries, utilizes approximately 100 different commercial hosting providers, has IPv4 address assignments in over 100/ 8’s, has no volunteers, and has no donated systems. How did we do it, how does it work, and what can you do with it? This talk will describe how the network is built, the costs involved, how systems are managed, and how insight is derived. pays particular attention to how "signal" data can or cannot be used in a threat intelligence system such as REN-ISAC's SES. They also demonstrate some of the analytical insights we've been able to perform from the longitudinal data. We also summarize related work underway and their future plans and seek feedback from the R&E community on how they are doing and what they should consider changing or doing next. 

Speaker: John Kristoff,, Founder

John is a founder and operator of the non-profit He hasbeen involved in the R&E network and security community for over 20years. He is a current REN-ISAC member and a one-time REN-ISAC TAGcommittee member, including a stint as chair. He is a Ph.D. candidate inComputer Science at the University of Illinois Chicago, studying underthe tutelage of Chris Kanich. John is also adjunct faculty in theCollege of Computing and Digital Media at DePaul University. Hecurrently serves as a research fellow at ICANN and sits on the NANOGprogram committee, John is also a principal analyst at NETSCOUT on the ATLAS Security Engineering and Response Team (ASERT). 

Access Techburst

The Techbust Zoom link will be posted here 15 minutes prior to the start of the presentation. This session is open to the public, as well as designated representatives of REN-ISAC member institutions. Information is classified TLP:WHITE (REN-ISAC:PUBLIC).

Can’t make the Techburst? This session will be recorded and made available on this page in the week following the presentation. Check back here for the recording.