[93359] in North American Network Operators' Group
Re: odd hijack
daemon@ATHENA.MIT.EDU (Michael.Dillon@btradianz.com)
Fri Nov 10 08:11:16 2006
In-Reply-To: <71051fe20611091646w64385d2frb5be471be198b92@mail.gmail.com>
To: nanog@nanog.org
From: Michael.Dillon@btradianz.com
Date: Fri, 10 Nov 2006 13:13:15 +0000
Errors-To: owner-nanog@merit.edu
> My question to the community is,
> what kind of misconfiguration could cause this set of prefixes to be
> announced?
> 11.0.0.0/8
> 12.0.0.0/7
> 121.0.0.0/8
> 122.0.0.0/7
> 124.0.0.0/7
> 126.0.0.0/8
> 128.0.0.0/3
etc ...
This looks to me like some large multinational leaked
their internal announcements to an ISP. It is not unusual
for large companies to use random unregistered /8 blocks
in their internal networks. There are all kinds of
applications that need to talk across networks which do
not need any Internet connectivity or any direct
connectivity to general use workstations. This network
traffic would normally be hidden inside some kind of
VPN on the same infrastructure as other corporate
traffic.
So to answer your question, first look for all the ways
that a misconfiguration could allow routing information
to leak out of some flavor of VPN.
--Michael Dillon
