[167301] in North American Network Operators' Group
=?windows-1252?Q?Re=3A_Someone=92s_Been_Siphoning_Data_Through_a?=
daemon@ATHENA.MIT.EDU (Jared Mauch)
Sat Dec 7 15:04:57 2013
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <20131206195739.GB2811@sources.org>
Date: Sat, 7 Dec 2013 15:05:09 -0500
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Dec 6, 2013, at 2:57 PM, Stephane Bortzmeyer <bortzmeyer@nic.fr> =
wrote:
> On Fri, Dec 06, 2013 at 01:05:54PM -0500,
> Jared Mauch <jared@puck.nether.net> wrote=20
> a message of 36 lines which said:
>=20
>> I've detected 11.6 million of these events since 2008 just looking at =
the
>> route-views data. Most recently the past two days 701 has done a =
large MITM of
>> traffic.
>=20
> The big novelty in the Renesys paper is the proof (with traceroute)
> that there was a return path, something which did not exist in the
> famous Pakistan Telecom case, or in most (all?) other BGP
> hijackings. This return path allows to attacker to really get access
> to the data with little chance of the victim noticing. That's
> something new.
I've been sending the traceroutes to networks for years to get them to =
clean up their acts. I guess the lesson is publish often?
Folks can see the prefixes involved here:
http://puck.nether.net/bgp/leakinfo.cgi
The ASN search works best. I'll work on optimizing the prefix stuff as =
it's not returning "promptly".
- Jared=
