[161968] in North American Network Operators' Group
Re: BGP hijack of Spamhaus?
daemon@ATHENA.MIT.EDU (Job Snijders)
Fri Mar 29 14:15:06 2013
From: Job Snijders <job.snijders@atrato.com>
In-Reply-To: <20130329180535.GA6737@vectra.student.iastate.edu>
Date: Fri, 29 Mar 2013 19:14:52 +0100
To: Nicolai <nicolai-nanog@chocolatine.org>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Hi Nicolai,
It really happened, here are my notes.=20
http://instituut.net/~job/cb3rob-spamhaus-hijack-21-mar-2013.txt
Renesys also confirmed seeing the /32 from that direction, but they =
could
not share the data because of an NDA.=20
Because it was a /32, it was a hyperlocal event, if you can read Dutch =
and
read the comments on the greenhost.nl blog, you'll see that Kamphuis is
not denying, but rather elaborates on what he did:
"wijst er ook maar even op dat onze uiteraard in-house developed
dns code die we voor dit project ingezet hebben ook keurig op
stdout liet zien WAT er door WIE werdt opgevraagd=85"
Roughly translates to:
"Let me emphasize that our in-house developed dns code, which =
was
used for this project very nicely logged to stdout WHO was =
requesting
WHAT"
Kind regards,
Job
On Mar 29, 2013, at 7:05 PM, Nicolai <nicolai-nanog@chocolatine.org> =
wrote:
> Hi all,
>=20
> Regarding the Spamhaus DDoS attack, there's a Cisco article [0]
> detailing its chronology, which cites greenhost.nl [1] claiming a BGP
> hijack by AS34109 (CB3ROB). Here, a /32 was announced (and =
accepted...)
> for 0.ns.spamhaus.org, and the fraudulent server returned 127.0.0.2 =
for
> *all* DNSBL queries, with the intent to undermine confidence in
> Spamhaus.
>=20
> Are there any confirmations of this claim? This needs to be
> investigated and proven/disproven.
>=20
> Nicolai
>=20
> 0. http://blogs.cisco.com/security/chronology-of-a-ddos-spamhaus/
> 1. =
https://greenhost.nl/2013/03/21/spam-not-spam-tracking-hijacked-spamhaus-i=
p/
>=20
--=20
AS5580 - Atrato IP Networks
