Hunting for bogus BGP announcement for 204.106.93.155
For the last two days, between approximately 7pm to 2am Eastern time, a spammer hijacked a piece of our address space, presumably by announcing some size of aggregate containing the IP address 204.106.93.155. During the time that the spammer had connectivity using this bogus announcement, they originated many spam messages for a porn website. Possibly, they also provided connectivity for the porn website during that time. And they probably also announced various other netblocks which you may be able to deduce by studying the emails posted to nanas here <http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&threadm=1032174896.54.4116%40verence.demon.co.uk&rnum=1&prev=/groups%3Fhl%3Den%26lr%3D%26ie%3DUTF-8%26selm%3D1032174896.54.4116%2540verence.demon.co.uk> If anyone has some idle time this evening, and you happen to successfully traceroute to 204.106.93.155 then I would appreciate seeing a copy of that traceroute as well as a BGP dump with all of the routes announced by the AS containing this netblock. At the current time we are not announcing the netblock containing this address but even if we were, the address is currently unassigned, i.e. a portscan would show it not in use, and therefore the hijacker could still successfully announce a longer prefix than us to use our address space. If you are not filtering your inbound BGP sessions, then this spammer could be your customer. Or maybe this spammer is abusing the hospitality of your local Internet exchange. I was originally alerted to this spam by a half dozen messages from spamcop and I've asked the spamcop folks to collect a traceroute as soon as they identify the spam so that we have a better chance of tracking down the rogue ISP/XP (or sloppy ISP/XP) that is letting these spammer announce bogus routes. ------------------------------------------------------- Michael Dillon
On Thu, Oct 03, 2002 at 04:35:45PM +0100, Michael.Dillon@radianz.com wrote:
For the last two days, between approximately 7pm to 2am Eastern time, a spammer hijacked a piece of our address space, presumably by announcing some size of aggregate containing the IP address 204.106.93.155. During the time that the spammer had connectivity using this bogus announcement,
RIS didn't pick anything up <http://www.ris.ripe.net/cgi-bin/risprefix.cgi?net=204.106.0.0%2F17&startDay=20021003&startHour=00&startMin=00&startSec=00&endDay=20021003&endHour=16&endMin=45&endSec=31&rrcb=rrc00&type=%25&sortby=stime&outype=html&action=Search&.cgifields=type> /Jesper -- Jesper Skriver, jesper(at)skriver(dot)dk - CCIE #5456 Senior network engineer @ AS3292, TDC Tele Danmark One Unix to rule them all, One Resolver to find them, One IP to bring them all and in the zone to bind them.
On Thu, Oct 03, 2002 at 06:48:53PM +0200, Jesper Skriver mooed:
On Thu, Oct 03, 2002 at 04:35:45PM +0100, Michael.Dillon@radianz.com wrote:
For the last two days, between approximately 7pm to 2am Eastern time, a spammer hijacked a piece of our address space, presumably by announcing some size of aggregate containing the IP address 204.106.93.155. During the time that the spammer had connectivity using this bogus announcement,
RIS didn't pick anything up
Nor did our BGP monitors, nor our db of Routeviews. http://bgp.lcs.mit.edu/ Interestingly, we se _no_ announcements of any netblock containing this address, ever. I assume you haven't brought this address space on-line yet? -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ I do not accept unsolicited commercial email. Do not spam me.
We did _not_ see 204.106.93.155 here at AS 16517 in our multicast status runs in either BGP or MBGP announcements - this means that Sprint and UUNet were not announcing it (nor was Internet2). -- Regards Marshall Eubanks David G. Andersen wrote:
On Thu, Oct 03, 2002 at 06:48:53PM +0200, Jesper Skriver mooed:
On Thu, Oct 03, 2002 at 04:35:45PM +0100, Michael.Dillon@radianz.com wrote:
For the last two days, between approximately 7pm to 2am Eastern time, a spammer hijacked a piece of our address space, presumably by announcing some size of aggregate containing the IP address 204.106.93.155. During the time that the spammer had connectivity using this bogus announcement,
RIS didn't pick anything up
Nor did our BGP monitors, nor our db of Routeviews.
Interestingly, we se _no_ announcements of any netblock containing this address, ever. I assume you haven't brought this address space on-line yet?
-Dave
T.M. Eubanks Multicast Technologies, Inc 10301 Democracy Lane, Suite 410 Fairfax, Virginia 22030 Phone : 703-293-9624 Fax : 703-293-9609 e-mail : tme@multicasttech.com http://www.multicasttech.com Test your network for multicast : http://www.multicasttech.com/mt/ Status of Multicast on the Web : http://www.multicasttech.com/status/index.html
participants (4)
-
David G. Andersen
-
Jesper Skriver
-
Marshall Eubanks
-
Michael.Dillon@radianz.com