Hijacking machine: ASAS201640 / AS200002
I don't routinely follow this list, so I'm not sure how much of this is common knowledge already, but... http://blogs.cisco.com/security/talos/help-my-ip-address-has-been-hijacked/ Current route announcements for AS201640: 36.0.56.0/21 probable hijack - China 41.92.206.0/23 probable hijack - Cameroon 41.198.80.0/20 probable hijack - South Africa 41.198.224.0/20 probable hijack - South Africa 61.242.128.0/19 probable hijack - China 119.227.224.0/19 probable hijack - India 123.29.96.0/19 probable hijack - Vietnam 177.22.117.0/24 probable hijack - Brazil 187.189.158.0/23 probable hijack - Mexico 202.39.112.0/20 probable hijack - Taiwan Network Information Center 210.57.0.0/19 probable hijack - Telstra/Japan It would appear that AS201640 may possibly exist at the present time only for the purpose of providing illicitly obtained IP space for spammers, including but not limited to the ""Mike Prescott" mentioned in the Cisco blog entry cited above. The spammer, "Mike Prescott"... not his real last name... has also been spotted spewing from IP space routed by AS200002, which is AS201640's only connection to the rest of the world. Coincidence? You be the judge. Regards, rfg P.S. If anybody is able to look up _all_ of the route announcements that have been made by AS201640 over the past few months, I for one would definitely like to see those. Please e-mail them to me off list. I already know that "Mike Prescott" has been spewing from at least one of the above current announcements (202.39.112.0/20) and probably all of the others too. But there are additional route announcements that have already been withdrawn, and I'd like to check those for "Mike Prescott" footprints also. P.P.S. To the real "Mike P."... on the off chance that he might see this... You can run, but you don't hide very well. You should have gotten out of the game in 1998 when you had the chance. Maybe the Powers That Be will lock you up this time.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Ronald, <snip>
P.S. If anybody is able to look up _all_ of the route announcements that have been made by AS201640 over the past few months, I for one would definitely like to see those. Please e-mail them to me off list. I already know that "Mike Prescott" has been spewing from at least one of the above current announcements (202.39.112.0/20) and probably all of the others too. But there are additional route announcements that have already been withdrawn, and I'd like to check those for "Mike Prescott" footprints also.
<snip> http://bgpupdates.potaroo.net/cgi-bin/generate_as_log?as=201640 http://bgpupdates.potaroo.net/cgi-bin/generate_as_log?as=200002 or http://www.cidr-report.org/cgi-bin/as-report?as=AS201640&view=2.0 http://www.cidr-report.org/cgi-bin/as-report?as=AS200002&view=2.0 - -- Mit freundlichen Grüßen // Kind regards Armin Kneip Network & System Operator ASN: 12586, 31025 Mail: ak@ghostnet.de PGP ID: 0x563C099C Fingerprint: CE89 0605 5E21 5611 E526 72DD 759F 4DAA 563C 099C GHOSTnet GmbH Kaiser-Friedrich-Promenade 65 D-61348 Bad Homburg v.d.H (Germany) Office +49 (0) 6172 185025 Fax +49 (0) 6172 185029 Internet: www.ghostnet.de Mail: noc@ghostnet.de Sitz: Kaiser-Friedrich-Promenade 65, D-61348 Bad Homburg v.d.H. Amtsgericht Bad Homburg v.d.H. HRB 8637, UST-ID-Nr. DE206435465 Geschäftsführer: Sebastian Grafmüller -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iQIcBAEBAgAGBQJUVCFzAAoJEHWfTapWPAmcfAcP/3Xw+GDthe/WNFCWlbBAS0/k zBM9aTlUzrhDVxCz73GBLxQQdsEAdff4E2vBfFXJDcXC7zVbmom2HSXj9IaolL2W dTW9N6zAkhMpKObCMhBZtSuQwYxz7rgNZVJlBVnzu6wOiNTc0lbrxeZ61hKYPAhe Sjk+Tqs/upkLehR7A37J1KW0rc8nSQ5yEXQl0Qi59CaDc89/ACfeSWk60ugQJ6DC rtat/HnDQEwdBWbbvBHlBAhqD7ILgdVa/72JsaXjpV4g2w7WwJFIYmOL+DqgnPyO jpWNzfo3rV/Kpbx4T0Cn5wsjWHzwzv3MjHB2R4sVbN92P3TAXonjBxT8T+3t+9ab fcSBTpiNAuS6iJg93e52FnMmlb3c/8ZwIutB3mjC8Ktlq6eBK9bufprF5pInc7Ge sEZxv25ZPdh0xb0NAkfXBB8Jf1gVFLchQWk8L7Zfzb4UdsLPNx4w9/rkP7vasMaW gvWswMBECtCJ9L7vi0z6x4aer17BcdRrlRqWt1VJQDPUBC8sucilrF94Ov1TqiTL gusM6URVEQ9Rz9L6Lz7RuSVhv4fO4ROtb++5H6xdxwCklln+AiZsoCFgkwtOaWuV 97+MgWhtINKFu+XLfS5/uSZVAgj8IpqHRt0zXMRHtOzGICk0ZpTOb+1VjMkpYM7b 0YmXzW8KLdv024vpmQXZ =8Ta5 -----END PGP SIGNATURE-----
In message <54542174.30809@ghostnet.de>, Armin Kneip <ak@ghostnet.de> wrote:
http://bgpupdates.potaroo.net/cgi-bin/generate_as_log?as=201640 http://bgpupdates.potaroo.net/cgi-bin/generate_as_log?as=200002
or
http://www.cidr-report.org/cgi-bin/as-report?as=AS201640&view=2.0 http://www.cidr-report.org/cgi-bin/as-report?as=AS200002&view=2.0
Thank you. Unfortunately, the former pair of links only seems to provide data going back about one week, while the latter pair of links only seems to provide current data as of today. I am hoping to be able to find a list of all route announcements made by ASAS201640 going all the way back to its creation, which appears to possibly have occured on or about 2014-08-27. Regards, rfg
While it's not a thorough list of all announcements, here are nightly snapshots courtesy of http://bgp.he.net AS201640: http://pastebin.com/nvuVbnpn AS200002: http://pastebin.com/1JZnWadD -- Rob Mosher Senior Network and Software Engineer Hurricane Electric / AS6939 On 10/31/2014 11:57 PM, Ronald F. Guilmette wrote:
In message <54542174.30809@ghostnet.de>, Armin Kneip <ak@ghostnet.de> wrote:
http://bgpupdates.potaroo.net/cgi-bin/generate_as_log?as=201640 http://bgpupdates.potaroo.net/cgi-bin/generate_as_log?as=200002
or
http://www.cidr-report.org/cgi-bin/as-report?as=AS201640&view=2.0 http://www.cidr-report.org/cgi-bin/as-report?as=AS200002&view=2.0
Thank you.
Unfortunately, the former pair of links only seems to provide data going back about one week, while the latter pair of links only seems to provide current data as of today.
I am hoping to be able to find a list of all route announcements made by ASAS201640 going all the way back to its creation, which appears to possibly have occured on or about 2014-08-27.
Regards, rfg
On Fri, Oct 31, 2014 at 08:57:09PM -0700, Ronald F. Guilmette wrote:
In message <54542174.30809@ghostnet.de>, Armin Kneip <ak@ghostnet.de> wrote:
http://bgpupdates.potaroo.net/cgi-bin/generate_as_log?as=201640 http://bgpupdates.potaroo.net/cgi-bin/generate_as_log?as=200002
or
http://www.cidr-report.org/cgi-bin/as-report?as=AS201640&view=2.0 http://www.cidr-report.org/cgi-bin/as-report?as=AS200002&view=2.0
Thank you.
Unfortunately, the former pair of links only seems to provide data going back about one week, while the latter pair of links only seems to provide current data as of today.
I am hoping to be able to find a list of all route announcements made by ASAS201640 going all the way back to its creation, which appears to possibly have occured on or about 2014-08-27.
You have to parse the UPDATES data, eg: located at archive.routeviews.org or something else, not the rib snapshots. - Jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
BGPlay found at https://stat.ripe.net/ is back and I find easier to look back at bgp tables and find events like another AS or more specific route appearing. Also if you never looked, bgpmon.net is a decent service to monitor import announcements and AS numbers to get near real time alerts of routing changes. Doesn't help this situation but can help you get alerted when it happens next. Bryan Socha Network Engineer DigitalOcean 646-450-0472 On Sat, Nov 1, 2014 at 9:57 AM, Jared Mauch <jared@puck.nether.net> wrote:
On Fri, Oct 31, 2014 at 08:57:09PM -0700, Ronald F. Guilmette wrote:
In message <54542174.30809@ghostnet.de>, Armin Kneip <ak@ghostnet.de> wrote:
http://bgpupdates.potaroo.net/cgi-bin/generate_as_log?as=201640 http://bgpupdates.potaroo.net/cgi-bin/generate_as_log?as=200002
or
http://www.cidr-report.org/cgi-bin/as-report?as=AS201640&view=2.0 http://www.cidr-report.org/cgi-bin/as-report?as=AS200002&view=2.0
Thank you.
Unfortunately, the former pair of links only seems to provide data going back about one week, while the latter pair of links only seems to provide current data as of today.
I am hoping to be able to find a list of all route announcements made by ASAS201640 going all the way back to its creation, which appears to possibly have occured on or about 2014-08-27.
You have to parse the UPDATES data, eg: located at archive.routeviews.org or something else, not the rib snapshots.
- Jared
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
On 2014-10-31 17:20, Ronald F. Guilmette wrote:
P.S. If anybody is able to look up _all_ of the route announcements that have been made by AS201640 over the past few months, I for one would definitely like to see those.
Hello again, Ronald. I don't know for certain that it's all-inclusive, but I would look at https://stat.ripe.net/widget/routing-history#w.resource=AS201640 . Unlike last time, I don't have any contacts at the relevant ISPs. Shame. Jima
On 11/1/14, 2:03 AM, Jima wrote:
On 2014-10-31 17:20, Ronald F. Guilmette wrote:
P.S. If anybody is able to look up _all_ of the route announcements that have been made by AS201640 over the past few months, I for one would definitely like to see those.
Hello again, Ronald.
I don't know for certain that it's all-inclusive, but I would look at https://stat.ripe.net/widget/routing-history#w.resource=AS201640 .
Routing-history shows the prefixes which were observed in the 8-hourly RIB dumps from our collective of 13 RIS route collectors. Any short lived announcements which started after and ended before a full dump was taken will be missed by this widget. We do have a full record of all the BGP announcements observed with origin AS201640 in the last 90 days, but it requires some clicking and digging to extract the prefixes. See: https://stat.ripe.net/widget/bgp-update-activity#w.starttime=2014-08-03T00%3A00%3A00&w.endtime=2014-11-01T00%3A00%3A00&w.resource=AS201640 -- Rene
participants (7)
-
Armin Kneip -
Bryan Socha -
Jared Mauch -
Jima -
Rene Wilhelm -
Rob Mosher -
Ronald F. Guilmette