[nsp-sec] Fwd: Kenyan Route Hijack
White, Gerard
Gerard.White at aliant.ca
Sun Mar 16 07:30:22 EDT 2008
>
> Any responses received for on-list consumption only, of course.
>
My GUESS is it could have been a quick response in trying to stop (null
route) a Webmail (or equivalent) credential brute-force attack / abuse.
Obviously someone failed to consider a possible prefix redistribution :(
We are experiencing issues where our customer WebMail front ends are
under
constant abuse (either brute-forcing credentials or using phished
credentials with a compromised account to do some sort of spam run).
Must be the "In" thing to do... I know of many other providers /
companies that are feeling the same pain.
Here is a list of "popular" subnets registered to mostly Nigerian /
Israeli companies that cause me pain... might be worth for others to
look for similar activity against their WebMail customer front ends:
41.220.75.0/24
41.220.76.0/24
41.211.246.0/23
41.241.246.0/23
41.243.163.0/24
41.243.164.0/24
81.199.47.0/24
81.199.48.0/24
81.199.88.0/23
81.199.172.0/23
84.254.189.0/24
84.254.190.0/24
193.93.99.0/24
193.93.100.0/24
196.200.5.0/24
196.200.6.0/24
196.207.0.0/23
196.207.32.0/23
196.220.2.0/23
213.185.118.192/26
To give the benefit of the doubt in terms of compromised (say S4/S5
proxies) machines from these subnets is rather hard to do given the
density of originating IPs from some of these subnets seen forming TCP
3-ways to "get the job done".
I also realize black holes aren't the "proper" way to solve these type
of
problems, but, given the ever increasing intensity of Internet abuse
activities (through increased proliferation attempts to deploy hijacking
malware, etc...) there aren't enough hours in the day to barely keep up
with the abuse going on...
Sorry for the rant... Getting close to St. Patrick's Day...
GW
855 - Aliant
More information about the nsp-security
mailing list