Dataplane_Jan_18_Webinar Operations, Signal Data, and Insights

with John Kristoff from

Wednesday, January 18
Noon ET
Presentation Slides

Description, founded in 2016 and recently incorporated as a U.S.501(c)(3) non-profit, has constructed one of the world's most unique and diverse distributed Internet activity sensor networks. 

They developed a set of custom network listeners starting with SSH to monitor and measure unsolicited Internet communications. The network spans six continents and more than sixty countries, utilizes approximately 100 different commercial hosting providers, has IPv4 address assignments in over 100/ 8’s, has no volunteers, and has no donated systems. How did we do it, how does it work, and what can you do with it? This talk will describe how the network is built, the costs involved, how systems are managed, and how insight is derived. pays particular attention to how "signal" data can or cannot be used in a threat intelligence system such as REN-ISAC's SES. They also demonstrate some of the analytical insights we've been able to perform from the longitudinal data. We also summarize related work underway and their future plans and seek feedback from the R&E community on how they are doing and what they should consider changing or doing next. 

Speaker: John Kristoff,, Founder

John is a founder and operator of the non-profit He has been involved in the R&E network and security community for over 20 years. He is a current REN-ISAC member and a one-time REN-ISAC TAG committee member, including a stint as chair. He is a Ph.D. candidate in Computer Science at the University of Illinois Chicago, studying under the tutelage of Chris Kanich. John is also adjunct faculty in the College of Computing and Digital Media at DePaul University. He currently serves as a research fellow at ICANN and sits on the NANOG program committee, John is also a principal analyst at NETSCOUT on the ATLAS Security Engineering and Response Team (ASERT). 

Access Techburst

The Techbust Zoom link will be posted here 15 minutes prior to the start of the presentation. This session is open to the public, as well as designated representatives of REN-ISAC member institutions. Information is classified TLP:WHITE (REN-ISAC:PUBLIC).

Can’t make the Techburst? This session will be recorded and made available on this page in the week following the presentation. Check back here for the recording.