[174274] in North American Network Operators' Group
Re: Prefix hijacking, how to prevent and fix currently
daemon@ATHENA.MIT.EDU (Doug Madory)
Wed Sep 3 13:27:32 2014
X-Original-To: nanog@nanog.org
From: Doug Madory <dmadory@renesys.com>
Date: Wed, 3 Sep 2014 13:27:14 -0400
To: nanog@nanog.org
In-Reply-To: <F1879621-EC26-4787-AB9F-B9B585F3E05D@renesys.com>
Errors-To: nanog-bounces@nanog.org
--Apple-Mail=_E7A1B554-4951-42FE-93C2-8D134C4A760B
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
http://www.bgpmon.net/using-bgp-data-to-find-spammers/
This blog post furthers this discussion, but it would have been =
appropriate to cite my original analysis explicitly, rather than simply =
citing "some discussion on Nanog recently."
If we want to foster a community where people share expertise on this =
list, fully citing others' work is essential, as in any professional or =
academic setting.
Doug Madory
603-643-9300 x115
Hanover, NH
"The Internet Intelligence Authority"
On Aug 31, 2014, at 2:04 PM, Doug Madory <dmadory@renesys.com> wrote:
> FWIW, this is from an IP squatting operation I came across in recent =
weeks. I encounter these things regularly in the course of working with =
BGP data - probably others do too. Usually I look up the ASN or prefix =
and often it has already been added to someone's spam source list. When =
I see that, I assume the "system is working" and move on.
>=20
> In this case, starting late Jun, we have seen IP address ranges from =
around the world (most ranges are unused, sometimes hijacked space) =
announced by one of two (formerly unused) ASNs and routed through =
another formerly unused ASN, 57756, then on to Anders (AS39792) and out =
to the Internet in the following form:
>=20
> ... 39792 57756 {3.721, 43239} prefix
>=20
> The prefixes are only routed for an hour or two before it moves on to =
the next range of IP address space. Not sure if this is for spam or =
something else. Either way, it is probably associated with something =
bad. Earlier this month I reached out to a contact at Anders in Russia =
and gave him some details about what was happening. I didn't get a =
response, but within a couple of days the routing (mostly) shifted from =
Anders to through Petersburg Internet Network (AS44050). I have no idea =
if this was due to my email. The day it moved to PIN I sent similar =
emails to addresses I could find at PIN, but haven't seen any response. =
Now the these routes take one of two forms:
>=20
> ... 39792 57756 {3.721, 43239} prefix
>=20
> Or
>=20
> ... 44050 57756 {3.721, 43239} prefix
>=20
> This is mostly routed through Cogent (AS174), but Anders (AS39792) =
also has a lot of peers. I would advise that people treat any route =
coming through AS57756 is probably bad. AS57756 doesn't originate =
anything and hasn't since 28-Jun when it very briefly hijacked some NZ =
space.
>=20
> Also, Pierre-Antoine Vervier from Symantec gave a good talk at NANOG =
in Feb about IP squatting for spam generation. Pierre and I have since =
compared notes on this topic.
>=20
> -Doug Madory
--Apple-Mail=_E7A1B554-4951-42FE-93C2-8D134C4A760B
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQEcBAEBCgAGBQJUB09yAAoJEAvFABtacb3Ixl0H/0HbZjG0cjFtFxBu0klCoTvo
Mk7ahJO8TBA3vyK5BsL+zEWy8rnTsdsEbumNI/e0dF3H2drD6FEihhOptzQGSU73
Eli0522tNxc7zkNKWd8PFfyz5gpk1DE8ScC/zCTX5EdRnPPxNC4Yszd6YzunA/Mn
ePueGI3Ni248us4Db4i3EzBUt93Z+hNvkZrhb1D79i/ugxgD3RBPmLbvNgZ3PD2F
KIM7PDXCVoN2nFKR851RgOurFhrhS1Cu+kteBb5PlLRYLWL6VlF2jmZQ3RmmvMQn
bHiGsC9x/ZxpSv4r6nGhkhO+gZ4bZZJeLxDqaY0Lwf9h0FWg4GYKkw1lNFHqZ7k=
=tjyi
-----END PGP SIGNATURE-----
--Apple-Mail=_E7A1B554-4951-42FE-93C2-8D134C4A760B--
