Hi Doug, All,

We’ve seen similar things, including hijacks of less specific IP prefixes (even 
/8s), correlated with spam behavior.  

We presented on this at NANOG 35:
http://nanog.org/meetings/nanog36/presentations/feamster.pdf

Slide 4 shows a short-lived BGP announcement for IP space that was the source 
of spam.  Interestingly, many of the short-lived annoucements that we observed 
were /8s.  Subsequent slides explain why.  Subsequent slides explain these 
observations in more detail, and we had a paper in SIGCOMM’06 describing this 
activity in more detail:
http://www.cc.gatech.edu/~feamster/papers/p396-ramachandran.pdf

We have a couple of pieces of follow-up work:
- It turns out that you can use BGP dynamics as features to design filters for 
spam and other attack traffic (we have a couple of papers on this)
- Some of these observable dynamics are also useful for establishing AS 
reputation (a la Hostexploit) - we have some ongoing work here

Happy to talk more, either on-list or off-list.

Cheers,
-Nick

On Aug 31, 2014, at 2:04 PM, Doug Madory <dmad...@renesys.com> wrote:

> FWIW, this is from an IP squatting operation I came across in recent weeks. I 
> encounter these things regularly in the course of working with BGP data - 
> probably others do too. Usually I look up the ASN or prefix and often it has 
> already been added to someone's spam source list. When I see that, I assume 
> the "system is working" and move on.
> 
> In this case, starting late Jun, we have seen IP address ranges from around 
> the world (most ranges are unused, sometimes hijacked space) announced by one 
> of two (formerly unused) ASNs and routed through another formerly unused ASN, 
> 57756, then on to Anders (AS39792) and out to the Internet in the following 
> form:
> 
>       ... 39792 57756 {3.721, 43239}  prefix
> 
> The prefixes are only routed for an hour or two before it moves on to the 
> next range of IP address space. Not sure if this is for spam or something 
> else. Either way, it is probably associated with something bad. Earlier this 
> month I reached out to a contact at Anders in Russia and gave him some 
> details about what was happening. I didn't get a response, but within a 
> couple of days the routing (mostly) shifted from Anders to through Petersburg 
> Internet Network (AS44050). I have no idea if this was due to my email. The 
> day it moved to PIN I sent similar emails to addresses I could find at PIN, 
> but haven't seen any response. Now the these routes take one of two forms:
> 
>       ... 39792 57756 {3.721, 43239}  prefix
> 
> Or
> 
>       ... 44050 57756 {3.721, 43239}  prefix
> 
> This is mostly routed through Cogent (AS174), but Anders (AS39792) also has a 
> lot of peers. I would advise that people treat any route coming through 
> AS57756 is probably bad. AS57756 doesn't originate anything and hasn't since 
> 28-Jun when it very briefly hijacked some NZ space.
> 
> Also, Pierre-Antoine Vervier from Symantec gave a good talk at NANOG in Feb 
> about IP squatting for spam generation. Pierre and I have since compared 
> notes on this topic.
> 
> -Doug Madory
> 
> ----- Original Message -----
>> From: "Tarun Dua" <li...@tarundua.net>
>> To: nanog@nanog.org
>> Sent: Thursday, August 28, 2014 12:55:25 PM
>> Subject: Prefix hijacking, how to prevent and fix currently
>> 
>> AS Number 43239
>> AS Name SPETSENERGO-AS SpetsEnergo Ltd.
>> 
>> Has started hijacking our IPv4 prefix, while this prefix was NOT in
>> production, it worries us that it was this easy for someone to hijack
>> it.
>> 
>> http://bgp.he.net/AS43239#_prefixes
>> 
>> 103.20.212.0/22 <- This belongs to us.
>> 
>> 103.238.232.0/22 KNS Techno Integrators Pvt. Ltd.
>> 193.43.33.0/24 hydrocontrol S.C.R.L.
>> 193.56.146.0/24 TRAPIL - Societe des Transports Petroliers par Pipeline
>> 
>> Where do we complain to get this fixed.
>> 
>> -Tarun
>> AS132420
>> 
> 

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

Reply via email to