|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Hijacked IP space.
I must have missed the thread on this, but is there a good summary available of exactly _how_ these netblocks are getting hijacked? Are they taking advantage of sloppy redistribution configurations, 0wning routers, spoofing OSPF updates, taking advantage of default static routes, or is there something more complicated at work? Are these attacks actually generating bogons, or are they isolated to ASN's they have at one point been legitimately announced by, and forgotten? I can think up many more interesting applications for these kind of ghost-nets than spamming, all of which are quite, if you'll pardon the pun, haunting. -- Jamie.Reid, CISSP, [email protected] Senior Security Specialist, Information Protection Centre Corporate Security, MBS 416 327 2324 >>> "chuck goolsbee" <[email protected]> 11/03/03 03:56pm >>> All, Sorry, to interrupt any off-topic rambles, but I had a client call last week who had just had some telephone abuse heaped on them, by somebody accusing them of spamming. It turns out our client had a netblock assigned to them back in the mid-90's. They used to put on networking trade shows, and used the space for making show networks. They haven't put on a networking trade show (with a public network) since about 1997. Of course to complicate the matter, the sole contact listed in whois no longer works there. I informed our client how to remove their name from the whois record and relinquish the netblock back to ARIN, which I hope they are doing now. I also have (at the suggestion of some research through the nanog archives) submitted the netblock to the completewhois site. [I have no interest in commenting on the current inane OT nanog thread about that subject, so don't even try me.] Mr. Thomas' cymru.com service was offline when I tried to contact it last week (he replied via email about an outage... sorry to hear... coffee will get there eventually. Order put to the roaster today. - hang in there.) Of course I have no hard data, other than my client's phone call about another phone call, so I can't query based on a timestamp to see where this was being announced from. It appears to vanished, and has remained so according to my casual glances here and there. The netblock in question is: 204.89.0.0/21 So, my question is: Other than the above, and mentioning it here, is there anything else *I* can do to assist my client? Especially since I am not at all directly related to this netblock in any way. Additionally, it would not hurt to know if anyone here *does* know when or where the announcement came from. The client in question are good folks, and I hate to see their reputation tainted by the actions of others. Thanks, --chuck goolsbee, digital.forest <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=Content-Type content="text/html; charset=iso-8859-1"> <META content="MSHTML 6.00.2800.1226" name=GENERATOR></HEAD> <BODY style="MARGIN-TOP: 2px; FONT: 8pt Tahoma; MARGIN-LEFT: 2px"> <DIV><FONT size=1></FONT> </DIV> <DIV><FONT face=Arial size=1>I must have missed the thread on this, but is there a good summary available</FONT></DIV> <DIV><FONT face=Arial size=1>of exactly _how_ these netblocks are getting hijacked? </FONT></DIV> <DIV><FONT face=Arial size=1></FONT> </DIV> <DIV><FONT face=Arial size=1>Are they taking advantage of sloppy redistribution configurations, 0wning</FONT></DIV> <DIV><FONT face=Arial size=1>routers, spoofing OSPF updates, taking advantage of default static</FONT></DIV> <DIV><FONT face=Arial size=1>routes, or is there something more complicated at work? </FONT></DIV> <DIV><FONT face=Arial size=1></FONT> </DIV> <DIV><FONT face=Arial size=1>Are these attacks actually generating bogons, or are they isolated </FONT></DIV> <DIV><FONT face=Arial size=1>to ASN's they have at one point been legitimately announced by, </FONT></DIV> <DIV><FONT face=Arial size=1>and forgotten? </FONT></DIV> <DIV> </DIV> <DIV><FONT face=Arial size=1>I can think up many more interesting applications for these kind of </FONT></DIV> <DIV><FONT face=Arial size=1>ghost-nets than spamming, all of which are quite, if you'll pardon the</FONT></DIV> <DIV><FONT face=Arial size=1>pun, haunting. </FONT> </DIV> <DIV><BR> </DIV> <DIV> </DIV> <DIV>--<BR>Jamie.Reid, CISSP, <A href="mailto:[email protected]";>[email protected]</A><BR>Senior Security Specialist, Information Protection Centre <BR>Corporate Security, MBS <BR>416 327 2324 <BR>>>> "chuck goolsbee" <[email protected]> 11/03/03 03:56pm >>><BR><BR>All,<BR><BR>Sorry, to interrupt any off-topic rambles, but I had a client call <BR>last week who had just had some telephone abuse heaped on them, by <BR>somebody accusing them of spamming. It turns out our client had a <BR>netblock assigned to them back in the mid-90's. They used to put on <BR>networking trade shows, and used the space for making show networks. <BR>They haven't put on a networking trade show (with a public network) <BR>since about 1997.<BR><BR>Of course to complicate the matter, the sole contact listed in whois <BR>no longer works there.<BR><BR>I informed our client how to remove their name from the whois record <BR>and relinquish the netblock back to ARIN, which I hope they are doing <BR>now.<BR><BR>I also have (at the suggestion of some research through the nanog <BR>archives) submitted the netblock to the completewhois site.<BR><BR>[I have no interest in commenting on the current inane OT nanog <BR>thread about that subject, so don't even try me.]<BR><BR>Mr. Thomas' cymru.com service was offline when I tried to contact it <BR>last week (he replied via email about an outage... sorry to hear... <BR>coffee will get there eventually. Order put to the roaster today. - <BR>hang in there.)<BR><BR>Of course I have no hard data, other than my client's phone call <BR>about another phone call, so I can't query based on a timestamp to <BR>see where this was being announced from. It appears to vanished, and <BR>has remained so according to my casual glances here and there.<BR><BR>The netblock in question is:<BR><BR>204.89.0.0/21<BR><BR><BR><BR>So, my question is: Other than the above, and mentioning it here, is <BR>there anything else *I* can do to assist my client? Especially since <BR>I am not at all directly related to this netblock in any way. <BR>Additionally, it would not hurt to know if anyone here *does* know <BR>when or where the announcement came from.<BR><BR><BR>The client in question are good folks, and I hate to see their <BR>reputation tainted by the actions of others.<BR><BR><BR><BR>Thanks,<BR><BR>--chuck goolsbee, digital.forest<BR><BR><BR><BR><BR></DIV></BODY></HTML>
|