North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: odd hijack

  • From: Nick Feamster
  • Date: Fri Nov 10 12:12:40 2006

On Fri, Nov 10, 2006 at 07:20:10AM +0200, Hank Nussbacher wrote:
> AS29449 is not the problem.  It is the upstreams of AS5602 (KPNQwest 
> Italia) and AS286 (KPN) that let this crap leak.

In fact, it may not even be the immediate upstreams.  In our paper, we
describe specific examples where it's very hard to track exactly who's at
fault, because so much of the AS path appears to be forged.  See finding #5 in
the excerpt below.

I include the most germane excerpt from the paper below, for people's
convenience.  btw, Randy Bush helped us understand this technique a bit better
and coined the phrase spectrum agility.


We have called this technique ``spectrum agility'' because it allows a
spammer the flexibility to use a wide variety of IP addresses within a
very large block from which to send spam.  The large IP address block
allows the mail relays to ``hop'' between a large number of IP
addresses, thereby evading IP-based filtering techniques like DNSBLs.
Judging from Figure~\ref{fig:dnsbls} and our analysis in
Section~\ref{sec:dnsbls}, the technique seems to be rather effective.
As an added benefit, route announcements for shorter IP prefixes (\ie,
larger blocks of IP addresses) are less likely to be blocked by ISPs'
route filters than route announcements or hijacks for longer prefixes.

Upon further inspection, we also discovered the following interesting
features: (1)~the IP addresses of the mail relays sending this spam are
widely distributed across the IP address space; (2)~the IP addresses
from which we see spam in this address space typically appear only once;
(3)~on February 6, 2006, attempts to contact the mail relays that we
observed using this technique revealed that that roughly 60-80\% of
these hosts were not reachable by {\tt traceroute}; (4)~many of the IP
addresses of these mail relays were located in allocated, albeit
unannounced and unused IP address space; and (5)~many of the AS paths
for these announcements contained reserved (\ie, to-date unallocated AS
numbers), suggesting a possible attempt to further hamper traceability
by forging elements of the AS path.