[169576] in North American Network Operators' Group
Re: Hackers hijack 300, 000-plus wireless routers, make malicious
daemon@ATHENA.MIT.EDU (Andrew Latham)
Tue Mar 4 08:33:35 2014
In-Reply-To: <5315D4AE.5030505@gmail.com>
Date: Tue, 4 Mar 2014 07:30:06 -0600
From: Andrew Latham <lathama@gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, Mar 4, 2014 at 7:27 AM, Davide Davini <diotonante@gmail.com> wrote:
> Andrew Latham wrote:
>> On Tue, Mar 4, 2014 at 5:46 AM, fmm <vovan@fakmoymozg.ru> wrote:
>>> On Tue, 04 Mar 2014 09:00:18 +0100, Jay Ashworth <jra@baylink.com> wrote:
>>>
>>>>
>>>> http://arstechnica.com/security/2014/03/hackers-hijack-300000-plus-wireless-routers-make-malicious-changes/
>>>>
>>>> Is there any valid reason not to black hole those /32s on the back bone?
>>>
>>>
>>>
>>>>> The telltale sign a router has been compromised is DNS settings that have
>>>>> been changed to 5.45.75.11 and 5.45.76.36. Team Cymru researchers contacted
>>>>> the provider that hosts those two IP addresses but have yet to receive a
>>>>> response.
>>>
>>>
>>> you wanted to say "blackhole those 5.45.72.0/22 and 5.45.76.0/22", aren't
>>> you?
>>>
>>
>> Jay is right, it is just the /32s at the moment... Dropping the /22s
>> could cause other sites to be blocked.
>>
>> inetnum: 5.45.72.0 - 5.45.75.255
>> netname: INFERNO-NL-DE
>
> I'm guessing that was said under the assumption the provider wouldn't
> intervene, because if it does intervene there is no point in blackholig
> anything.
>
Davide, you are correct, some people are assuming that the provider is
doing nothing. That has yet to be determined.
--
~ Andrew "lathama" Latham lathama@gmail.com http://lathama.net ~
