Hi Doug, All, We’ve seen similar things, including hijacks of less specific IP prefixes (even /8s), correlated with spam behavior.
We presented on this at NANOG 35: http://nanog.org/meetings/nanog36/presentations/feamster.pdf Slide 4 shows a short-lived BGP announcement for IP space that was the source of spam. Interestingly, many of the short-lived annoucements that we observed were /8s. Subsequent slides explain why. Subsequent slides explain these observations in more detail, and we had a paper in SIGCOMM’06 describing this activity in more detail: http://www.cc.gatech.edu/~feamster/papers/p396-ramachandran.pdf We have a couple of pieces of follow-up work: - It turns out that you can use BGP dynamics as features to design filters for spam and other attack traffic (we have a couple of papers on this) - Some of these observable dynamics are also useful for establishing AS reputation (a la Hostexploit) - we have some ongoing work here Happy to talk more, either on-list or off-list. Cheers, -Nick On Aug 31, 2014, at 2:04 PM, Doug Madory <dmad...@renesys.com> wrote: > FWIW, this is from an IP squatting operation I came across in recent weeks. I > encounter these things regularly in the course of working with BGP data - > probably others do too. Usually I look up the ASN or prefix and often it has > already been added to someone's spam source list. When I see that, I assume > the "system is working" and move on. > > In this case, starting late Jun, we have seen IP address ranges from around > the world (most ranges are unused, sometimes hijacked space) announced by one > of two (formerly unused) ASNs and routed through another formerly unused ASN, > 57756, then on to Anders (AS39792) and out to the Internet in the following > form: > > ... 39792 57756 {3.721, 43239} prefix > > The prefixes are only routed for an hour or two before it moves on to the > next range of IP address space. Not sure if this is for spam or something > else. Either way, it is probably associated with something bad. Earlier this > month I reached out to a contact at Anders in Russia and gave him some > details about what was happening. I didn't get a response, but within a > couple of days the routing (mostly) shifted from Anders to through Petersburg > Internet Network (AS44050). I have no idea if this was due to my email. The > day it moved to PIN I sent similar emails to addresses I could find at PIN, > but haven't seen any response. Now the these routes take one of two forms: > > ... 39792 57756 {3.721, 43239} prefix > > Or > > ... 44050 57756 {3.721, 43239} prefix > > This is mostly routed through Cogent (AS174), but Anders (AS39792) also has a > lot of peers. I would advise that people treat any route coming through > AS57756 is probably bad. AS57756 doesn't originate anything and hasn't since > 28-Jun when it very briefly hijacked some NZ space. > > Also, Pierre-Antoine Vervier from Symantec gave a good talk at NANOG in Feb > about IP squatting for spam generation. Pierre and I have since compared > notes on this topic. > > -Doug Madory > > ----- Original Message ----- >> From: "Tarun Dua" <li...@tarundua.net> >> To: nanog@nanog.org >> Sent: Thursday, August 28, 2014 12:55:25 PM >> Subject: Prefix hijacking, how to prevent and fix currently >> >> AS Number 43239 >> AS Name SPETSENERGO-AS SpetsEnergo Ltd. >> >> Has started hijacking our IPv4 prefix, while this prefix was NOT in >> production, it worries us that it was this easy for someone to hijack >> it. >> >> http://bgp.he.net/AS43239#_prefixes >> >> 103.20.212.0/22 <- This belongs to us. >> >> 103.238.232.0/22 KNS Techno Integrators Pvt. Ltd. >> 193.43.33.0/24 hydrocontrol S.C.R.L. >> 193.56.146.0/24 TRAPIL - Societe des Transports Petroliers par Pipeline >> >> Where do we complain to get this fixed. >> >> -Tarun >> AS132420 >> >
signature.asc
Description: Message signed with OpenPGP using GPGMail