Hi Nicolai,
It really happened, here are my notes.
http://instituut.net/~job/cb3rob-spamhaus-hijack-21-mar-2013.txt
Renesys also confirmed seeing the /32 from that direction, but they could
not share the data because of an NDA.
Because it was a /32, it was a hyperlocal event, if you can read Dutch and
read the comments on the greenhost.nl blog, you'll see that Kamphuis is
not denying, but rather elaborates on what he did:
"wijst er ook maar even op dat onze uiteraard in-house developed
dns code die we voor dit project ingezet hebben ook keurig op
stdout liet zien WAT er door WIE werdt opgevraagd…"
Roughly translates to:
"Let me emphasize that our in-house developed dns code, which was
used for this project very nicely logged to stdout WHO was requesting
WHAT"
Kind regards,
Job
On Mar 29, 2013, at 7:05 PM, Nicolai <nicolai-na...@chocolatine.org> wrote:
> Hi all,
>
> Regarding the Spamhaus DDoS attack, there's a Cisco article [0]
> detailing its chronology, which cites greenhost.nl [1] claiming a BGP
> hijack by AS34109 (CB3ROB). Here, a /32 was announced (and accepted...)
> for 0.ns.spamhaus.org, and the fraudulent server returned 127.0.0.2 for
> *all* DNSBL queries, with the intent to undermine confidence in
> Spamhaus.
>
> Are there any confirmations of this claim? This needs to be
> investigated and proven/disproven.
>
> Nicolai
>
> 0. http://blogs.cisco.com/security/chronology-of-a-ddos-spamhaus/
> 1.
> https://greenhost.nl/2013/03/21/spam-not-spam-tracking-hijacked-spamhaus-ip/
>
--
AS5580 - Atrato IP Networks
