[174277] in North American Network Operators' Group
Re: Prefix hijacking, how to prevent and fix currently
daemon@ATHENA.MIT.EDU (Ca By)
Wed Sep 3 13:47:25 2014
X-Original-To: nanog@nanog.org
In-Reply-To: <A32CC951-AFD3-4CB9-AE4B-57A79B94DF55@renesys.com>
Date: Wed, 3 Sep 2014 10:47:17 -0700
From: Ca By <cb.list6@gmail.com>
To: Doug Madory <dmadory@renesys.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Wed, Sep 3, 2014 at 10:27 AM, Doug Madory <dmadory@renesys.com> wrote:
> http://www.bgpmon.net/using-bgp-data-to-find-spammers/
>
> This blog post furthers this discussion, but it would have been appropria=
te to cite my original analysis explicitly, rather than simply citing "some=
discussion on Nanog recently."
>
> If we want to foster a community where people share expertise on this lis=
t, fully citing others' work is essential, as in any professional or academ=
ic setting.
>
> Doug Madory
> 603-643-9300 x115
> Hanover, NH
> "The Internet Intelligence Authority"
>
Doug,
Furthering a sense of community through public shaming and allegations
of plagiarism?
> On Aug 31, 2014, at 2:04 PM, Doug Madory <dmadory@renesys.com> wrote:
>
>> FWIW, this is from an IP squatting operation I came across in recent wee=
ks. I encounter these things regularly in the course of working with BGP da=
ta - probably others do too. Usually I look up the ASN or prefix and often =
it has already been added to someone's spam source list. When I see that, I=
assume the "system is working" and move on.
>>
>> In this case, starting late Jun, we have seen IP address ranges from aro=
und the world (most ranges are unused, sometimes hijacked space) announced =
by one of two (formerly unused) ASNs and routed through another formerly un=
used ASN, 57756, then on to Anders (AS39792) and out to the Internet in the=
following form:
>>
>> ... 39792 57756 {3.721, 43239} prefix
>>
>> The prefixes are only routed for an hour or two before it moves on to th=
e next range of IP address space. Not sure if this is for spam or something=
else. Either way, it is probably associated with something bad. Earlier th=
is month I reached out to a contact at Anders in Russia and gave him some d=
etails about what was happening. I didn't get a response, but within a coup=
le of days the routing (mostly) shifted from Anders to through Petersburg I=
nternet Network (AS44050). I have no idea if this was due to my email. The =
day it moved to PIN I sent similar emails to addresses I could find at PIN,=
but haven't seen any response. Now the these routes take one of two forms:
>>
>> ... 39792 57756 {3.721, 43239} prefix
>>
>> Or
>>
>> ... 44050 57756 {3.721, 43239} prefix
>>
>> This is mostly routed through Cogent (AS174), but Anders (AS39792) also =
has a lot of peers. I would advise that people treat any route coming throu=
gh AS57756 is probably bad. AS57756 doesn't originate anything and hasn't s=
ince 28-Jun when it very briefly hijacked some NZ space.
>>
>> Also, Pierre-Antoine Vervier from Symantec gave a good talk at NANOG in =
Feb about IP squatting for spam generation. Pierre and I have since compare=
d notes on this topic.
>>
>> -Doug Madory
>
