[174331] in North American Network Operators' Group
Re: Prefix hijacking, how to prevent and fix currently
daemon@ATHENA.MIT.EDU (Nick Feamster)
Thu Sep 4 21:48:12 2014
X-Original-To: nanog@nanog.org
From: Nick Feamster <feamster@cc.gatech.edu>
In-Reply-To: <F1879621-EC26-4787-AB9F-B9B585F3E05D@renesys.com>
Date: Thu, 4 Sep 2014 14:47:42 -0400
To: Doug Madory <dmadory@renesys.com>
Cc: nanog@nanog.org,
Pierre-Antoine Vervier <Pierre-Antoine_Vervier@symantec.com>
Errors-To: nanog-bounces@nanog.org
--Apple-Mail=_B0B9D4D5-6464-47C1-9441-90552C6F172E
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=windows-1252
Hi Doug, All,
We=92ve seen similar things, including hijacks of less specific IP =
prefixes (even /8s), correlated with spam behavior. =20
We presented on this at NANOG 35:
http://nanog.org/meetings/nanog36/presentations/feamster.pdf
Slide 4 shows a short-lived BGP announcement for IP space that was the =
source of spam. Interestingly, many of the short-lived annoucements =
that we observed were /8s. Subsequent slides explain why. Subsequent =
slides explain these observations in more detail, and we had a paper in =
SIGCOMM=9206 describing this activity in more detail:
http://www.cc.gatech.edu/~feamster/papers/p396-ramachandran.pdf
We have a couple of pieces of follow-up work:
- It turns out that you can use BGP dynamics as features to design =
filters for spam and other attack traffic (we have a couple of papers on =
this)
- Some of these observable dynamics are also useful for establishing AS =
reputation (a la Hostexploit) - we have some ongoing work here
Happy to talk more, either on-list or off-list.
Cheers,
-Nick
On Aug 31, 2014, at 2:04 PM, Doug Madory <dmadory@renesys.com> wrote:
> FWIW, this is from an IP squatting operation I came across in recent =
weeks. I encounter these things regularly in the course of working with =
BGP data - probably others do too. Usually I look up the ASN or prefix =
and often it has already been added to someone's spam source list. When =
I see that, I assume the "system is working" and move on.
>=20
> In this case, starting late Jun, we have seen IP address ranges from =
around the world (most ranges are unused, sometimes hijacked space) =
announced by one of two (formerly unused) ASNs and routed through =
another formerly unused ASN, 57756, then on to Anders (AS39792) and out =
to the Internet in the following form:
>=20
> ... 39792 57756 {3.721, 43239} prefix
>=20
> The prefixes are only routed for an hour or two before it moves on to =
the next range of IP address space. Not sure if this is for spam or =
something else. Either way, it is probably associated with something =
bad. Earlier this month I reached out to a contact at Anders in Russia =
and gave him some details about what was happening. I didn't get a =
response, but within a couple of days the routing (mostly) shifted from =
Anders to through Petersburg Internet Network (AS44050). I have no idea =
if this was due to my email. The day it moved to PIN I sent similar =
emails to addresses I could find at PIN, but haven't seen any response. =
Now the these routes take one of two forms:
>=20
> ... 39792 57756 {3.721, 43239} prefix
>=20
> Or
>=20
> ... 44050 57756 {3.721, 43239} prefix
>=20
> This is mostly routed through Cogent (AS174), but Anders (AS39792) =
also has a lot of peers. I would advise that people treat any route =
coming through AS57756 is probably bad. AS57756 doesn't originate =
anything and hasn't since 28-Jun when it very briefly hijacked some NZ =
space.
>=20
> Also, Pierre-Antoine Vervier from Symantec gave a good talk at NANOG =
in Feb about IP squatting for spam generation. Pierre and I have since =
compared notes on this topic.
>=20
> -Doug Madory
>=20
> ----- Original Message -----
>> From: "Tarun Dua" <lists@tarundua.net>
>> To: nanog@nanog.org
>> Sent: Thursday, August 28, 2014 12:55:25 PM
>> Subject: Prefix hijacking, how to prevent and fix currently
>>=20
>> AS Number 43239
>> AS Name SPETSENERGO-AS SpetsEnergo Ltd.
>>=20
>> Has started hijacking our IPv4 prefix, while this prefix was NOT in
>> production, it worries us that it was this easy for someone to hijack
>> it.
>>=20
>> http://bgp.he.net/AS43239#_prefixes
>>=20
>> 103.20.212.0/22 <- This belongs to us.
>>=20
>> 103.238.232.0/22 KNS Techno Integrators Pvt. Ltd.
>> 193.43.33.0/24 hydrocontrol S.C.R.L.
>> 193.56.146.0/24 TRAPIL - Societe des Transports Petroliers par =
Pipeline
>>=20
>> Where do we complain to get this fixed.
>>=20
>> -Tarun
>> AS132420
>>=20
>=20
--Apple-Mail=_B0B9D4D5-6464-47C1-9441-90552C6F172E
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQEcBAEBCgAGBQJUCLPOAAoJEH/U2a/m2qWyVPwH/RwFm0VlwsxpegY/yGNkSBzc
BwGSuS7+E+MVeZk/qNZJ+0q3BEdSshjTpn9VQNFfv1d3KiRSXieo53TfzXGCF2wY
seAZGE8Ea3RBaYG1vjHzX+ipGrX3/TzMMGf07DIPBibjQxKRVHPJ8aaWRhWCC+Qh
DCeKQFqJhXyB82h4c5Q5pBL+hsWQzPLnNblw6uU3wcHRduNdSbrYT+7E3J5K/Izx
FuYkVArgX8g3Us0kr6cE7Y8t1vxNjVk9IAMQjpIDl9sHoSUVFWOEmGWAriwx5Rpk
WxADZgX70tbaWwWKsRMC0G61Q6u9JTeJPSM3t1ZKE0B06FAopzw8mzHMIRxXm2s=
=H12t
-----END PGP SIGNATURE-----
--Apple-Mail=_B0B9D4D5-6464-47C1-9441-90552C6F172E--
