[nsp-sec] AS27595 (Intercage) gone - implications..

Smith, Donald Donald.Smith at qwest.com
Mon Sep 22 11:08:00 EDT 2008 


Security through obscurity WORKS against some worms and ssh attacks:)
Donald.Smith at qwest.com giac 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Huopio Kauto
> Sent: Monday, September 22, 2008 7:35 AM
> To: NSP nsp-security
> Subject: [nsp-sec] AS27595 (Intercage) gone - implications..
> 
> ----------- nsp-security Confidential --------
> 
> Now that AS27595 has no routing, there could be some
> interesting effects to the end users. Those who have
> been infected with dns-changer malware which changes
> DNS resolvers to Intercage addresspace could find
> radical connectivity issues.
> 
> This could cause end users calling your customer support. 
I doubt it.
On the 15th there was still some dns traffic headed towards
216.255.176-190.* and 69.31.8*.* (49 unique source ips in the records).
I saw NONE to the 85.225.11*.* blocks so that had already been cleaned
up or moved to other netblocks:) 

We have notified customers several times about dns-change, zlob,
fake-codec so we did achieve some level of cleanup but I don't believe
we got them all so I suspect they moved this in advance of being
shutdown.

It looks like they knew this was coming. 
I have NO dns traffic towards the 216.255.176-190.* or the 85.255.11*.*
blocks now.

There is still some going to 69.31.8*.*
whois  69.31.80.244
nLayer Communications, Inc. NLYR-ARIN-BLK2 (NET-69-31-0-0-1)
                                  69.31.0.0 - 69.31.143.255
Pilosoft, Inc. NLYR-69-31-80-0-1 (NET-69-31-80-0-1)
                                  69.31.80.0 - 69.31.87.255

That is way down to only 20 unique ip src addresses. In this case the
1/1k sample rate shouldn't effect the number of unique ips much as you
would expect a system that was being used normally to contact its dns
servers frequently (100s or 1000s of times in a day).


# ARIN WHOIS database, last updated 2008-09-21 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
> 
> Any other issues that we should observe/follow?
> 
> --Kauto
> 
> Kauto Huopio - kauto.huopio at ficora.fi
> Senior information security adviser
> Finnish Communications Regulatory Authority  / CERT-FI
> tel. +358-9-6966772, fax +358-9-6966515, mobile +358-50-5826131
> CERT-FI watch desk daytime: +358-9-6966510 / http://www.cert.fi
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
> 
> 


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.

More information about the nsp-security mailing list