[174345] in North American Network Operators' Group
Re: Prefix hijacking, how to prevent and fix currently
daemon@ATHENA.MIT.EDU (Doug Madory)
Fri Sep 5 12:12:56 2014
X-Original-To: nanog@nanog.org
From: Doug Madory <dmadory@renesys.com>
Date: Fri, 5 Sep 2014 12:12:48 -0400
To: Nick Feamster <feamster@cc.gatech.edu>, "nanog@nanog.org" <nanog@nanog.org>
In-Reply-To: <0C5A3013-ACCA-458E-A775-7F34938C284F@cc.gatech.edu>
Errors-To: nanog-bounces@nanog.org
--Apple-Mail=_C928062B-07C4-4B99-BBE3-D7778CE1007A
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=windows-1252
Hi Nick, All,
Thanks for the links. I'm glad to know people are working on this. I =
don't think anyone was suggesting that this was a new phenomenon.=20
Someone wrote to this list about a particular incident and I shared =
details about how this was part of a larger IP squatting operation. =
Unique from other on-going IP squatting incidents that I'm aware of, =
this one was rather unique in its use of two unused ASNs to quickly =
cycle through various prefixes of (mostly) unused address space.
http://seclists.org/nanog/2014/Aug/513 (Aug 31)
It was disappointing to see someone claim the discovery of this IP =
squatting operation three days later without a reference to my detailed =
write-up in this public forum. This had been going for months, but only =
after I explained what had happened could this "discovery" take place.
http://www.bgpmon.net/using-bgp-data-to-find-spammers/ (Sep 3)
What is most interesting is that shortly before I wrote my email, the IP =
squatting operation had changed tactics. Although there are still some =
stale routes in circulation, the "57756 {43239, {3.721}" format is no =
longer the format being used.=20
Since Saturday, the IP squatting operation has moved to the following =
route format:
... 44050 197598 {49121, 197794} prefix
By the time of Andree's blog post on Wednesday, this new route format =
had been the main tactic for four days. He didn't pick up on the change =
- perhaps because I hadn't caught the change by the time I wrote my =
email this weekend. Maybe he can "discover" it now.
BTW, these routes are being universally accepted, so whatever technique =
we think we're employing to filter routes like this, it isn't working.=20=
Doug Madory
603-643-9300 x115
Hanover, NH
"The Internet Intelligence Authority"
On Sep 4, 2014, at 2:47 PM, Nick Feamster <feamster@cc.gatech.edu> =
wrote:
> Hi Doug, All,
>=20
> We=92ve seen similar things, including hijacks of less specific IP =
prefixes (even /8s), correlated with spam behavior. =20
>=20
> We presented on this at NANOG 35:
> http://nanog.org/meetings/nanog36/presentations/feamster.pdf
>=20
> Slide 4 shows a short-lived BGP announcement for IP space that was the =
source of spam. Interestingly, many of the short-lived annoucements =
that we observed were /8s. Subsequent slides explain why. Subsequent =
slides explain these observations in more detail, and we had a paper in =
SIGCOMM=9206 describing this activity in more detail:
> http://www.cc.gatech.edu/~feamster/papers/p396-ramachandran.pdf
>=20
> We have a couple of pieces of follow-up work:
> - It turns out that you can use BGP dynamics as features to design =
filters for spam and other attack traffic (we have a couple of papers on =
this)
> - Some of these observable dynamics are also useful for establishing =
AS reputation (a la Hostexploit) - we have some ongoing work here
>=20
> Happy to talk more, either on-list or off-list.
>=20
> Cheers,
> -Nick
>=20
> On Aug 31, 2014, at 2:04 PM, Doug Madory <dmadory@renesys.com> wrote:
>=20
>> FWIW, this is from an IP squatting operation I came across in recent =
weeks. I encounter these things regularly in the course of working with =
BGP data - probably others do too. Usually I look up the ASN or prefix =
and often it has already been added to someone's spam source list. When =
I see that, I assume the "system is working" and move on.
>>=20
>> In this case, starting late Jun, we have seen IP address ranges from =
around the world (most ranges are unused, sometimes hijacked space) =
announced by one of two (formerly unused) ASNs and routed through =
another formerly unused ASN, 57756, then on to Anders (AS39792) and out =
to the Internet in the following form:
>>=20
>> ... 39792 57756 {3.721, 43239} prefix
>>=20
>> The prefixes are only routed for an hour or two before it moves on to =
the next range of IP address space. Not sure if this is for spam or =
something else. Either way, it is probably associated with something =
bad. Earlier this month I reached out to a contact at Anders in Russia =
and gave him some details about what was happening. I didn't get a =
response, but within a couple of days the routing (mostly) shifted from =
Anders to through Petersburg Internet Network (AS44050). I have no idea =
if this was due to my email. The day it moved to PIN I sent similar =
emails to addresses I could find at PIN, but haven't seen any response. =
Now the these routes take one of two forms:
>>=20
>> ... 39792 57756 {3.721, 43239} prefix
>>=20
>> Or
>>=20
>> ... 44050 57756 {3.721, 43239} prefix
>>=20
>> This is mostly routed through Cogent (AS174), but Anders (AS39792) =
also has a lot of peers. I would advise that people treat any route =
coming through AS57756 is probably bad. AS57756 doesn't originate =
anything and hasn't since 28-Jun when it very briefly hijacked some NZ =
space.
>>=20
>> Also, Pierre-Antoine Vervier from Symantec gave a good talk at NANOG =
in Feb about IP squatting for spam generation. Pierre and I have since =
compared notes on this topic.
>>=20
>> -Doug Madory
>>=20
>> ----- Original Message -----
>>> From: "Tarun Dua" <lists@tarundua.net>
>>> To: nanog@nanog.org
>>> Sent: Thursday, August 28, 2014 12:55:25 PM
>>> Subject: Prefix hijacking, how to prevent and fix currently
>>>=20
>>> AS Number 43239
>>> AS Name SPETSENERGO-AS SpetsEnergo Ltd.
>>>=20
>>> Has started hijacking our IPv4 prefix, while this prefix was NOT in
>>> production, it worries us that it was this easy for someone to =
hijack
>>> it.
>>>=20
>>> http://bgp.he.net/AS43239#_prefixes
>>>=20
>>> 103.20.212.0/22 <- This belongs to us.
>>>=20
>>> 103.238.232.0/22 KNS Techno Integrators Pvt. Ltd.
>>> 193.43.33.0/24 hydrocontrol S.C.R.L.
>>> 193.56.146.0/24 TRAPIL - Societe des Transports Petroliers par =
Pipeline
>>>=20
>>> Where do we complain to get this fixed.
>>>=20
>>> -Tarun
>>> AS132420
>>>=20
>>=20
>=20
--Apple-Mail=_C928062B-07C4-4B99-BBE3-D7778CE1007A
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQEcBAEBCgAGBQJUCeEAAAoJEAvFABtacb3IMrQIAMquyhB+PXvuUAn9bqJT+YKj
IUcIcb4PZyNloa/j9FQcsSSVoEb9qzcDM8yeBhy9yCjnM/luq/tEOT1zGtIl1KKe
UnH6NLpX/z/Vdxq3KOz6+jU7jfcgsPUi9G/shUIAhMitZ7EwUZ8+9y4/lK/JNjI9
Tajznv4l/WcqpPCNKjePbFgU/KA0TzfLtBl/OoIJ58jVM6HJs3zbxVWXQDsYc6fZ
9AV57RKvTnMgHSq0tu/DpJzwaS8wToISHtvsUT0umdS0sqlvfJSqjhw6OShA/l7n
u+bzPQ9uUHpcF07J6NRr49Tau+7dY5+lCsO0XYp7JOZymNjhzLLNpeKd2Jza1Uw=
=0NKf
-----END PGP SIGNATURE-----
--Apple-Mail=_C928062B-07C4-4B99-BBE3-D7778CE1007A--
