RE: Prefix hijacking, how to prevent and fix currently
FWIW, this is from an IP squatting operation I came across in recent weeks. I encounter these things regularly in the course of working with BGP data - probably others do too. Usually I look up the ASN or prefix and often it has already been added to someone's spam source list. When I see that, I assume the "system is working" and move on. In this case, starting late Jun, we have seen IP address ranges from around the world (most ranges are unused, sometimes hijacked space) announced by one of two (formerly unused) ASNs and routed through another formerly unused ASN, 57756, then on to Anders (AS39792) and out to the Internet in the following form: ... 39792 57756 {3.721, 43239} prefix The prefixes are only routed for an hour or two before it moves on to the next range of IP address space. Not sure if this is for spam or something else. Either way, it is probably associated with something bad. Earlier this month I reached out to a contact at Anders in Russia and gave him some details about what was happening. I didn't get a response, but within a couple of days the routing (mostly) shifted from Anders to through Petersburg Internet Network (AS44050). I have no idea if this was due to my email. The day it moved to PIN I sent similar emails to addresses I could find at PIN, but haven't seen any response. Now the these routes take one of two forms: ... 39792 57756 {3.721, 43239} prefix Or ... 44050 57756 {3.721, 43239} prefix This is mostly routed through Cogent (AS174), but Anders (AS39792) also has a lot of peers. I would advise that people treat any route coming through AS57756 is probably bad. AS57756 doesn't originate anything and hasn't since 28-Jun when it very briefly hijacked some NZ space. Also, Pierre-Antoine Vervier from Symantec gave a good talk at NANOG in Feb about IP squatting for spam generation. Pierre and I have since compared notes on this topic. -Doug Madory ----- Original Message -----
From: "Tarun Dua" <lists@tarundua.net> To: nanog@nanog.org Sent: Thursday, August 28, 2014 12:55:25 PM Subject: Prefix hijacking, how to prevent and fix currently
AS Number 43239 AS Name SPETSENERGO-AS SpetsEnergo Ltd.
Has started hijacking our IPv4 prefix, while this prefix was NOT in production, it worries us that it was this easy for someone to hijack it.
http://bgp.he.net/AS43239#_prefixes
103.20.212.0/22 <- This belongs to us.
103.238.232.0/22 KNS Techno Integrators Pvt. Ltd. 193.43.33.0/24 hydrocontrol S.C.R.L. 193.56.146.0/24 TRAPIL - Societe des Transports Petroliers par Pipeline
Where do we complain to get this fixed.
-Tarun AS132420
On (2014-08-31 14:04 -0400), Doug Madory wrote: Hi,
FWIW, this is from an IP squatting operation I came across in recent weeks. I encounter these things regularly in the course of working with BGP data - probably others do too. Usually I look up the ASN or prefix and often it has already been added to someone's spam source list. When I see that, I assume the "system is working" and move on.
Some seem to avoid BGP analysis by exposing their attack only to their target. We recently saw MSFT getting our customer's more specific announcement from 60937 originated ostensibly by 35886. No on else (~200 vantage points) was receiving this more specific. Companies who are likely target for this, like MSFT and GOOG, might want to monitor DFZ and see if they are receiving prefixes no one else is receiving. -- ++ytti
http://www.bgpmon.net/using-bgp-data-to-find-spammers/ This blog post furthers this discussion, but it would have been appropriate to cite my original analysis explicitly, rather than simply citing "some discussion on Nanog recently." If we want to foster a community where people share expertise on this list, fully citing others' work is essential, as in any professional or academic setting. Doug Madory 603-643-9300 x115 Hanover, NH "The Internet Intelligence Authority" On Aug 31, 2014, at 2:04 PM, Doug Madory <dmadory@renesys.com> wrote:
FWIW, this is from an IP squatting operation I came across in recent weeks. I encounter these things regularly in the course of working with BGP data - probably others do too. Usually I look up the ASN or prefix and often it has already been added to someone's spam source list. When I see that, I assume the "system is working" and move on.
In this case, starting late Jun, we have seen IP address ranges from around the world (most ranges are unused, sometimes hijacked space) announced by one of two (formerly unused) ASNs and routed through another formerly unused ASN, 57756, then on to Anders (AS39792) and out to the Internet in the following form:
... 39792 57756 {3.721, 43239} prefix
The prefixes are only routed for an hour or two before it moves on to the next range of IP address space. Not sure if this is for spam or something else. Either way, it is probably associated with something bad. Earlier this month I reached out to a contact at Anders in Russia and gave him some details about what was happening. I didn't get a response, but within a couple of days the routing (mostly) shifted from Anders to through Petersburg Internet Network (AS44050). I have no idea if this was due to my email. The day it moved to PIN I sent similar emails to addresses I could find at PIN, but haven't seen any response. Now the these routes take one of two forms:
... 39792 57756 {3.721, 43239} prefix
Or
... 44050 57756 {3.721, 43239} prefix
This is mostly routed through Cogent (AS174), but Anders (AS39792) also has a lot of peers. I would advise that people treat any route coming through AS57756 is probably bad. AS57756 doesn't originate anything and hasn't since 28-Jun when it very briefly hijacked some NZ space.
Also, Pierre-Antoine Vervier from Symantec gave a good talk at NANOG in Feb about IP squatting for spam generation. Pierre and I have since compared notes on this topic.
-Doug Madory
On Wed, Sep 3, 2014 at 10:27 AM, Doug Madory <dmadory@renesys.com> wrote:
http://www.bgpmon.net/using-bgp-data-to-find-spammers/
This blog post furthers this discussion, but it would have been appropriate to cite my original analysis explicitly, rather than simply citing "some discussion on Nanog recently."
If we want to foster a community where people share expertise on this list, fully citing others' work is essential, as in any professional or academic setting.
Doug Madory 603-643-9300 x115 Hanover, NH "The Internet Intelligence Authority"
Doug, Furthering a sense of community through public shaming and allegations of plagiarism?
On Aug 31, 2014, at 2:04 PM, Doug Madory <dmadory@renesys.com> wrote:
FWIW, this is from an IP squatting operation I came across in recent weeks. I encounter these things regularly in the course of working with BGP data - probably others do too. Usually I look up the ASN or prefix and often it has already been added to someone's spam source list. When I see that, I assume the "system is working" and move on.
In this case, starting late Jun, we have seen IP address ranges from around the world (most ranges are unused, sometimes hijacked space) announced by one of two (formerly unused) ASNs and routed through another formerly unused ASN, 57756, then on to Anders (AS39792) and out to the Internet in the following form:
... 39792 57756 {3.721, 43239} prefix
The prefixes are only routed for an hour or two before it moves on to the next range of IP address space. Not sure if this is for spam or something else. Either way, it is probably associated with something bad. Earlier this month I reached out to a contact at Anders in Russia and gave him some details about what was happening. I didn't get a response, but within a couple of days the routing (mostly) shifted from Anders to through Petersburg Internet Network (AS44050). I have no idea if this was due to my email. The day it moved to PIN I sent similar emails to addresses I could find at PIN, but haven't seen any response. Now the these routes take one of two forms:
... 39792 57756 {3.721, 43239} prefix
Or
... 44050 57756 {3.721, 43239} prefix
This is mostly routed through Cogent (AS174), but Anders (AS39792) also has a lot of peers. I would advise that people treat any route coming through AS57756 is probably bad. AS57756 doesn't originate anything and hasn't since 28-Jun when it very briefly hijacked some NZ space.
Also, Pierre-Antoine Vervier from Symantec gave a good talk at NANOG in Feb about IP squatting for spam generation. Pierre and I have since compared notes on this topic.
-Doug Madory
.-- My secret spy satellite informs me that at 2014-09-03 10:27 AM Doug Madory wrote:
http://www.bgpmon.net/using-bgp-data-to-find-spammers/
This blog post furthers this discussion, but it would have been appropriate to cite my original analysis explicitly, rather than simply citing "some discussion on Nanog recently."
If we want to foster a community where people share expertise on this
I appreciate your point but you're assuming that you are the original / sole source. More than one org has been working on this and the recent increase in IP squatting has been discussed on a few private and public lists. All content in this post originates from our own data and analysis. As you've seen we described a second (not previously discussed) case in great detail as well. list, fully citing others' work is essential, as in any professional or academic setting. Credit where credit is due, in the blog we publicly thanked one Individual (Job) for his help. To be honest I think this is a great example of how we worked with the community. We've worked with the ISP's involved, shared all our data and worked closely with some of them to verify traffic patterns and figure out why these prefixes were being accepted. Cheers, Andree (BGPmon)
Hi Doug, All, We’ve seen similar things, including hijacks of less specific IP prefixes (even /8s), correlated with spam behavior. We presented on this at NANOG 35: http://nanog.org/meetings/nanog36/presentations/feamster.pdf Slide 4 shows a short-lived BGP announcement for IP space that was the source of spam. Interestingly, many of the short-lived annoucements that we observed were /8s. Subsequent slides explain why. Subsequent slides explain these observations in more detail, and we had a paper in SIGCOMM’06 describing this activity in more detail: http://www.cc.gatech.edu/~feamster/papers/p396-ramachandran.pdf We have a couple of pieces of follow-up work: - It turns out that you can use BGP dynamics as features to design filters for spam and other attack traffic (we have a couple of papers on this) - Some of these observable dynamics are also useful for establishing AS reputation (a la Hostexploit) - we have some ongoing work here Happy to talk more, either on-list or off-list. Cheers, -Nick On Aug 31, 2014, at 2:04 PM, Doug Madory <dmadory@renesys.com> wrote:
FWIW, this is from an IP squatting operation I came across in recent weeks. I encounter these things regularly in the course of working with BGP data - probably others do too. Usually I look up the ASN or prefix and often it has already been added to someone's spam source list. When I see that, I assume the "system is working" and move on.
In this case, starting late Jun, we have seen IP address ranges from around the world (most ranges are unused, sometimes hijacked space) announced by one of two (formerly unused) ASNs and routed through another formerly unused ASN, 57756, then on to Anders (AS39792) and out to the Internet in the following form:
... 39792 57756 {3.721, 43239} prefix
The prefixes are only routed for an hour or two before it moves on to the next range of IP address space. Not sure if this is for spam or something else. Either way, it is probably associated with something bad. Earlier this month I reached out to a contact at Anders in Russia and gave him some details about what was happening. I didn't get a response, but within a couple of days the routing (mostly) shifted from Anders to through Petersburg Internet Network (AS44050). I have no idea if this was due to my email. The day it moved to PIN I sent similar emails to addresses I could find at PIN, but haven't seen any response. Now the these routes take one of two forms:
... 39792 57756 {3.721, 43239} prefix
Or
... 44050 57756 {3.721, 43239} prefix
This is mostly routed through Cogent (AS174), but Anders (AS39792) also has a lot of peers. I would advise that people treat any route coming through AS57756 is probably bad. AS57756 doesn't originate anything and hasn't since 28-Jun when it very briefly hijacked some NZ space.
Also, Pierre-Antoine Vervier from Symantec gave a good talk at NANOG in Feb about IP squatting for spam generation. Pierre and I have since compared notes on this topic.
-Doug Madory
----- Original Message -----
From: "Tarun Dua" <lists@tarundua.net> To: nanog@nanog.org Sent: Thursday, August 28, 2014 12:55:25 PM Subject: Prefix hijacking, how to prevent and fix currently
AS Number 43239 AS Name SPETSENERGO-AS SpetsEnergo Ltd.
Has started hijacking our IPv4 prefix, while this prefix was NOT in production, it worries us that it was this easy for someone to hijack it.
http://bgp.he.net/AS43239#_prefixes
103.20.212.0/22 <- This belongs to us.
103.238.232.0/22 KNS Techno Integrators Pvt. Ltd. 193.43.33.0/24 hydrocontrol S.C.R.L. 193.56.146.0/24 TRAPIL - Societe des Transports Petroliers par Pipeline
Where do we complain to get this fixed.
-Tarun AS132420
Hi Nick, All, Thanks for the links. I'm glad to know people are working on this. I don't think anyone was suggesting that this was a new phenomenon. Someone wrote to this list about a particular incident and I shared details about how this was part of a larger IP squatting operation. Unique from other on-going IP squatting incidents that I'm aware of, this one was rather unique in its use of two unused ASNs to quickly cycle through various prefixes of (mostly) unused address space. http://seclists.org/nanog/2014/Aug/513 (Aug 31) It was disappointing to see someone claim the discovery of this IP squatting operation three days later without a reference to my detailed write-up in this public forum. This had been going for months, but only after I explained what had happened could this "discovery" take place. http://www.bgpmon.net/using-bgp-data-to-find-spammers/ (Sep 3) What is most interesting is that shortly before I wrote my email, the IP squatting operation had changed tactics. Although there are still some stale routes in circulation, the "57756 {43239, {3.721}" format is no longer the format being used. Since Saturday, the IP squatting operation has moved to the following route format: ... 44050 197598 {49121, 197794} prefix By the time of Andree's blog post on Wednesday, this new route format had been the main tactic for four days. He didn't pick up on the change - perhaps because I hadn't caught the change by the time I wrote my email this weekend. Maybe he can "discover" it now. BTW, these routes are being universally accepted, so whatever technique we think we're employing to filter routes like this, it isn't working. Doug Madory 603-643-9300 x115 Hanover, NH "The Internet Intelligence Authority" On Sep 4, 2014, at 2:47 PM, Nick Feamster <feamster@cc.gatech.edu> wrote:
Hi Doug, All,
We’ve seen similar things, including hijacks of less specific IP prefixes (even /8s), correlated with spam behavior.
We presented on this at NANOG 35: http://nanog.org/meetings/nanog36/presentations/feamster.pdf
Slide 4 shows a short-lived BGP announcement for IP space that was the source of spam. Interestingly, many of the short-lived annoucements that we observed were /8s. Subsequent slides explain why. Subsequent slides explain these observations in more detail, and we had a paper in SIGCOMM’06 describing this activity in more detail: http://www.cc.gatech.edu/~feamster/papers/p396-ramachandran.pdf
We have a couple of pieces of follow-up work: - It turns out that you can use BGP dynamics as features to design filters for spam and other attack traffic (we have a couple of papers on this) - Some of these observable dynamics are also useful for establishing AS reputation (a la Hostexploit) - we have some ongoing work here
Happy to talk more, either on-list or off-list.
Cheers, -Nick
On Aug 31, 2014, at 2:04 PM, Doug Madory <dmadory@renesys.com> wrote:
FWIW, this is from an IP squatting operation I came across in recent weeks. I encounter these things regularly in the course of working with BGP data - probably others do too. Usually I look up the ASN or prefix and often it has already been added to someone's spam source list. When I see that, I assume the "system is working" and move on.
In this case, starting late Jun, we have seen IP address ranges from around the world (most ranges are unused, sometimes hijacked space) announced by one of two (formerly unused) ASNs and routed through another formerly unused ASN, 57756, then on to Anders (AS39792) and out to the Internet in the following form:
... 39792 57756 {3.721, 43239} prefix
The prefixes are only routed for an hour or two before it moves on to the next range of IP address space. Not sure if this is for spam or something else. Either way, it is probably associated with something bad. Earlier this month I reached out to a contact at Anders in Russia and gave him some details about what was happening. I didn't get a response, but within a couple of days the routing (mostly) shifted from Anders to through Petersburg Internet Network (AS44050). I have no idea if this was due to my email. The day it moved to PIN I sent similar emails to addresses I could find at PIN, but haven't seen any response. Now the these routes take one of two forms:
... 39792 57756 {3.721, 43239} prefix
Or
... 44050 57756 {3.721, 43239} prefix
This is mostly routed through Cogent (AS174), but Anders (AS39792) also has a lot of peers. I would advise that people treat any route coming through AS57756 is probably bad. AS57756 doesn't originate anything and hasn't since 28-Jun when it very briefly hijacked some NZ space.
Also, Pierre-Antoine Vervier from Symantec gave a good talk at NANOG in Feb about IP squatting for spam generation. Pierre and I have since compared notes on this topic.
-Doug Madory
----- Original Message -----
From: "Tarun Dua" <lists@tarundua.net> To: nanog@nanog.org Sent: Thursday, August 28, 2014 12:55:25 PM Subject: Prefix hijacking, how to prevent and fix currently
AS Number 43239 AS Name SPETSENERGO-AS SpetsEnergo Ltd.
Has started hijacking our IPv4 prefix, while this prefix was NOT in production, it worries us that it was this easy for someone to hijack it.
http://bgp.he.net/AS43239#_prefixes
103.20.212.0/22 <- This belongs to us.
103.238.232.0/22 KNS Techno Integrators Pvt. Ltd. 193.43.33.0/24 hydrocontrol S.C.R.L. 193.56.146.0/24 TRAPIL - Societe des Transports Petroliers par Pipeline
Where do we complain to get this fixed.
-Tarun AS132420
participants (5)
-
Andree Toonk
-
Ca By
-
Doug Madory
-
Nick Feamster
-
Saku Ytti