|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Hunting for bogus BGP announcement for 204.106.93.155
For the last two days, between approximately 7pm to 2am Eastern time, a spammer hijacked a piece of our address space, presumably by announcing some size of aggregate containing the IP address 204.106.93.155. During the time that the spammer had connectivity using this bogus announcement, they originated many spam messages for a porn website. Possibly, they also provided connectivity for the porn website during that time. And they probably also announced various other netblocks which you may be able to deduce by studying the emails posted to nanas here <http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&threadm=1032174896.54.4116%40verence.demon.co.uk&rnum=1&prev=/groups%3Fhl%3Den%26lr%3D%26ie%3DUTF-8%26selm%3D1032174896.54.4116%2540verence.demon.co.uk> If anyone has some idle time this evening, and you happen to successfully traceroute to 204.106.93.155 then I would appreciate seeing a copy of that traceroute as well as a BGP dump with all of the routes announced by the AS containing this netblock. At the current time we are not announcing the netblock containing this address but even if we were, the address is currently unassigned, i.e. a portscan would show it not in use, and therefore the hijacker could still successfully announce a longer prefix than us to use our address space. If you are not filtering your inbound BGP sessions, then this spammer could be your customer. Or maybe this spammer is abusing the hospitality of your local Internet exchange. I was originally alerted to this spam by a half dozen messages from spamcop and I've asked the spamcop folks to collect a traceroute as soon as they identify the spam so that we have a better chance of tracking down the rogue ISP/XP (or sloppy ISP/XP) that is letting these spammer announce bogus routes. ------------------------------------------------------- Michael Dillon
|