Hi Nicolai, It really happened, here are my notes. http://instituut.net/~job/cb3rob-spamhaus-hijack-21-mar-2013.txt Renesys also confirmed seeing the /32 from that direction, but they could not share the data because of an NDA. Because it was a /32, it was a hyperlocal event, if you can read Dutch and read the comments on the greenhost.nl blog, you'll see that Kamphuis is not denying, but rather elaborates on what he did: "wijst er ook maar even op dat onze uiteraard in-house developed dns code die we voor dit project ingezet hebben ook keurig op stdout liet zien WAT er door WIE werdt opgevraagd…" Roughly translates to: "Let me emphasize that our in-house developed dns code, which was used for this project very nicely logged to stdout WHO was requesting WHAT" Kind regards, Job On Mar 29, 2013, at 7:05 PM, Nicolai <nicolai-nanog@chocolatine.org> wrote:
Hi all,
Regarding the Spamhaus DDoS attack, there's a Cisco article [0] detailing its chronology, which cites greenhost.nl [1] claiming a BGP hijack by AS34109 (CB3ROB). Here, a /32 was announced (and accepted...) for 0.ns.spamhaus.org, and the fraudulent server returned 127.0.0.2 for *all* DNSBL queries, with the intent to undermine confidence in Spamhaus.
Are there any confirmations of this claim? This needs to be investigated and proven/disproven.
Nicolai
0. http://blogs.cisco.com/security/chronology-of-a-ddos-spamhaus/ 1. https://greenhost.nl/2013/03/21/spam-not-spam-tracking-hijacked-spamhaus-ip/
-- AS5580 - Atrato IP Networks