[64871] in North American Network Operators' Group
Re: Hijacked IP space.
daemon@ATHENA.MIT.EDU (Jamie Reid)
Tue Nov 4 02:45:38 2003
Date: Tue, 04 Nov 2003 00:54:07 -0500
From: "Jamie Reid" <Jamie.Reid@mbs.gov.on.ca>
To: chucklist@forest.net, nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
This is a MIME message. If you are reading this text, you may want to
consider changing to a mail reader or gateway that understands how to
properly handle MIME multipart messages.
--=_5608C3FE.93F39F36
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
I must have missed the thread on this, but is there a good summary =
available
of exactly _how_ these netblocks are getting hijacked?=20
Are they taking advantage of sloppy redistribution configurations, 0wning
routers, spoofing OSPF updates, taking advantage of default static
routes, or is there something more complicated at work?=20
Are these attacks actually generating bogons, or are they isolated=20
to ASN's they have at one point been legitimately announced by,=20
and forgotten?=20
I can think up many more interesting applications for these kind of=20
ghost-nets than spamming, all of which are quite, if you'll pardon the
pun, haunting. =20
--
Jamie.Reid, CISSP, jamie.reid@mbs.gov.on.ca
Senior Security Specialist, Information Protection Centre=20
Corporate Security, MBS =20
416 327 2324=20
>>> "chuck goolsbee" <chucklist@forest.net> 11/03/03 03:56pm >>>
All,
Sorry, to interrupt any off-topic rambles, but I had a client call=20
last week who had just had some telephone abuse heaped on them, by=20
somebody accusing them of spamming. It turns out our client had a=20
netblock assigned to them back in the mid-90's. They used to put on=20
networking trade shows, and used the space for making show networks.=20
They haven't put on a networking trade show (with a public network)=20
since about 1997.
Of course to complicate the matter, the sole contact listed in whois=20
no longer works there.
I informed our client how to remove their name from the whois record=20
and relinquish the netblock back to ARIN, which I hope they are doing=20
now.
I also have (at the suggestion of some research through the nanog=20
archives) submitted the netblock to the completewhois site.
[I have no interest in commenting on the current inane OT nanog=20
thread about that subject, so don't even try me.]
Mr. Thomas' cymru.com service was offline when I tried to contact it=20
last week (he replied via email about an outage... sorry to hear...=20
coffee will get there eventually. Order put to the roaster today. -=20
hang in there.)
Of course I have no hard data, other than my client's phone call=20
about another phone call, so I can't query based on a timestamp to=20
see where this was being announced from. It appears to vanished, and=20
has remained so according to my casual glances here and there.
The netblock in question is:
204.89.0.0/21
So, my question is: Other than the above, and mentioning it here, is=20
there anything else *I* can do to assist my client? Especially since=20
I am not at all directly related to this netblock in any way.=20
Additionally, it would not hurt to know if anyone here *does* know=20
when or where the announcement came from.
The client in question are good folks, and I hate to see their=20
reputation tainted by the actions of others.
Thanks,
--chuck goolsbee, digital.forest
--=_5608C3FE.93F39F36
Content-Type: text/plain
Content-Disposition: attachment;
filename=TEXT.htm
Content-Transfer-Encoding: 7bit
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1226" name=GENERATOR></HEAD>
<BODY style="MARGIN-TOP: 2px; FONT: 8pt Tahoma; MARGIN-LEFT: 2px">
<DIV><FONT size=1></FONT> </DIV>
<DIV><FONT face=Arial size=1>I must have missed the thread on this, but is there
a good summary available</FONT></DIV>
<DIV><FONT face=Arial size=1>of exactly _how_ these netblocks are getting
hijacked? </FONT></DIV>
<DIV><FONT face=Arial size=1></FONT> </DIV>
<DIV><FONT face=Arial size=1>Are they taking advantage of sloppy redistribution
configurations, 0wning</FONT></DIV>
<DIV><FONT face=Arial size=1>routers, spoofing OSPF updates, taking
advantage of default static</FONT></DIV>
<DIV><FONT face=Arial size=1>routes, or is there something more complicated at
work? </FONT></DIV>
<DIV><FONT face=Arial size=1></FONT> </DIV>
<DIV><FONT face=Arial size=1>Are these attacks actually generating bogons, or
are they isolated </FONT></DIV>
<DIV><FONT face=Arial size=1>to ASN's they have at one point been legitimately
announced by, </FONT></DIV>
<DIV><FONT face=Arial size=1>and forgotten? </FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=1>I can think up many more interesting applications
for these kind of </FONT></DIV>
<DIV><FONT face=Arial size=1>ghost-nets than spamming, all of which are quite,
if you'll pardon the</FONT></DIV>
<DIV><FONT face=Arial size=1>pun, haunting. </FONT> </DIV>
<DIV><BR> </DIV>
<DIV> </DIV>
<DIV>--<BR>Jamie.Reid, CISSP, <A
href="mailto:jamie.reid@mbs.gov.on.ca">jamie.reid@mbs.gov.on.ca</A><BR>Senior
Security Specialist, Information Protection Centre <BR>Corporate Security,
MBS <BR>416 327 2324 <BR>>>> "chuck goolsbee"
<chucklist@forest.net> 11/03/03 03:56pm
>>><BR><BR>All,<BR><BR>Sorry, to interrupt any off-topic rambles, but I
had a client call <BR>last week who had just had some telephone abuse heaped on
them, by <BR>somebody accusing them of spamming. It turns out our client had a
<BR>netblock assigned to them back in the mid-90's. They used to put on
<BR>networking trade shows, and used the space for making show networks.
<BR>They haven't put on a networking trade show (with a public network)
<BR>since about 1997.<BR><BR>Of course to complicate the matter, the sole
contact listed in whois <BR>no longer works there.<BR><BR>I informed our client
how to remove their name from the whois record <BR>and relinquish the netblock
back to ARIN, which I hope they are doing <BR>now.<BR><BR>I also have (at the
suggestion of some research through the nanog <BR>archives) submitted the
netblock to the completewhois site.<BR><BR>[I have no interest in commenting on
the current inane OT nanog <BR>thread about that subject, so don't even try
me.]<BR><BR>Mr. Thomas' cymru.com service was offline when I tried to contact it
<BR>last week (he replied via email about an outage... sorry to hear...
<BR>coffee will get there eventually. Order put to the roaster today. - <BR>hang
in there.)<BR><BR>Of course I have no hard data, other than my client's phone
call <BR>about another phone call, so I can't query based on a timestamp to
<BR>see where this was being announced from. It appears to vanished, and <BR>has
remained so according to my casual glances here and there.<BR><BR>The netblock
in question is:<BR><BR>204.89.0.0/21<BR><BR><BR><BR>So, my question is: Other
than the above, and mentioning it here, is <BR>there anything else *I* can do to
assist my client? Especially since <BR>I am not at all directly related to this
netblock in any way. <BR>Additionally, it would not hurt to know if anyone here
*does* know <BR>when or where the announcement came from.<BR><BR><BR>The client
in question are good folks, and I hate to see their <BR>reputation tainted by
the actions of others.<BR><BR><BR><BR>Thanks,<BR><BR>--chuck goolsbee,
digital.forest<BR><BR><BR><BR><BR></DIV></BODY></HTML>
--=_5608C3FE.93F39F36--
