[174224] in North American Network Operators' Group
RE: Prefix hijacking, how to prevent and fix currently
daemon@ATHENA.MIT.EDU (Doug Madory)
Sun Aug 31 14:04:23 2014
X-Original-To: nanog@nanog.org
From: Doug Madory <dmadory@renesys.com>
Date: Sun, 31 Aug 2014 14:04:13 -0400
To: nanog@nanog.org
Cc: Pierre-Antoine Vervier <Pierre-Antoine_Vervier@symantec.com>
Errors-To: nanog-bounces@nanog.org
--Apple-Mail=_D01655A8-AFD1-473C-A905-99954DDB1F2F
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
FWIW, this is from an IP squatting operation I came across in recent =
weeks. I encounter these things regularly in the course of working with =
BGP data - probably others do too. Usually I look up the ASN or prefix =
and often it has already been added to someone's spam source list. When =
I see that, I assume the "system is working" and move on.
In this case, starting late Jun, we have seen IP address ranges from =
around the world (most ranges are unused, sometimes hijacked space) =
announced by one of two (formerly unused) ASNs and routed through =
another formerly unused ASN, 57756, then on to Anders (AS39792) and out =
to the Internet in the following form:
... 39792 57756 {3.721, 43239} prefix
The prefixes are only routed for an hour or two before it moves on to =
the next range of IP address space. Not sure if this is for spam or =
something else. Either way, it is probably associated with something =
bad. Earlier this month I reached out to a contact at Anders in Russia =
and gave him some details about what was happening. I didn't get a =
response, but within a couple of days the routing (mostly) shifted from =
Anders to through Petersburg Internet Network (AS44050). I have no idea =
if this was due to my email. The day it moved to PIN I sent similar =
emails to addresses I could find at PIN, but haven't seen any response. =
Now the these routes take one of two forms:
... 39792 57756 {3.721, 43239} prefix
Or
... 44050 57756 {3.721, 43239} prefix
This is mostly routed through Cogent (AS174), but Anders (AS39792) also =
has a lot of peers. I would advise that people treat any route coming =
through AS57756 is probably bad. AS57756 doesn't originate anything and =
hasn't since 28-Jun when it very briefly hijacked some NZ space.
Also, Pierre-Antoine Vervier from Symantec gave a good talk at NANOG in =
Feb about IP squatting for spam generation. Pierre and I have since =
compared notes on this topic.
-Doug Madory
----- Original Message -----
> From: "Tarun Dua" <lists@tarundua.net>
> To: nanog@nanog.org
> Sent: Thursday, August 28, 2014 12:55:25 PM
> Subject: Prefix hijacking, how to prevent and fix currently
>=20
> AS Number 43239
> AS Name SPETSENERGO-AS SpetsEnergo Ltd.
>=20
> Has started hijacking our IPv4 prefix, while this prefix was NOT in
> production, it worries us that it was this easy for someone to hijack
> it.
>=20
> http://bgp.he.net/AS43239#_prefixes
>=20
> 103.20.212.0/22 <- This belongs to us.
>=20
> 103.238.232.0/22 KNS Techno Integrators Pvt. Ltd.
> 193.43.33.0/24 hydrocontrol S.C.R.L.
> 193.56.146.0/24 TRAPIL - Societe des Transports Petroliers par =
Pipeline
>=20
> Where do we complain to get this fixed.
>=20
> -Tarun
> AS132420
>=20
--Apple-Mail=_D01655A8-AFD1-473C-A905-99954DDB1F2F
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQEcBAEBCgAGBQJUA2OdAAoJEAvFABtacb3IC8QH/RSihircm0tL7Xfjr6+m2tMY
h7viIOLRNTjJuaD0tOY1KKB/W86+b3ZZ7TNv8eypMauiACSUiuIt+ieYjTTDqAi5
rL0lhgmAqCiOdDlirUg2fmVTobqbZO5yRScQ2jhpIAy949KSb6sSl+d0mC5i/oah
hYjIzm0hbX7FiaJpVx6U3db1qO05bez4Zjvaok7EXI0oHkUbTNYI0FHRNAAPS6HZ
sCC5BrbTVWhnnCyiGhPJEfFoEV+blZV4otVK/Bx8l0qfjSanBtO1bigGFFu9h7Df
Yea7KO46TVHYMUL1DOsZWXGsdVSUg5elj0JriYEtABkzfLoU0UB8agefwxpsl7E=
=9rmA
-----END PGP SIGNATURE-----
--Apple-Mail=_D01655A8-AFD1-473C-A905-99954DDB1F2F--
