[nsp-sec] AS27595 (Intercage) gone - implications..

Smith, Donald Donald.Smith at qwest.com
Mon Sep 22 11:18:37 EDT 2008 

Here is the list I have been using for most of my dns hijack netflow reports.


filter-primitive hijack-network
type ip-address-prefix
permit 85.255.112.0/24
permit 85.255.113.0/24
permit 85.255.114.0/23
permit 85.255.116.0/23
permit 81.95.148.0/22
permit 69.31.80.0/21
permit 69.31.52.0/23
permit 64.28.176.0/20
permit 69.50.160.0/19
permit 216.255.176.0/20
default deny

On the 15th we still had traffic towards the 216.255 block and the 69.31 blocks.
Today it is only towards the 69.31 block.

I am running a report now to show what external resolvers are being used.
There will be PLENTY of FP's in it but if they have moved this service to a new block I may be able to spot where they moved it to;)


Security through obscurity WORKS against some worms and ssh attacks:)
Donald.Smith at qwest.com giac 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Florian Weimer
> Sent: Monday, September 22, 2008 8:22 AM
> To: Huopio Kauto
> Cc: NSP nsp-security
> Subject: Re: [nsp-sec] AS27595 (Intercage) gone - implications..
> 
> ----------- nsp-security Confidential --------
> 
> * Huopio Kauto:
> 
> > ----------- nsp-security Confidential --------
> >
> > Now that AS27595 has no routing, there could be some
> > interesting effects to the end users. Those who have
> > been infected with dns-changer malware which changes
> > DNS resolvers to Intercage addresspace could find
> > radical connectivity issues.
> 
> Aren't the *resolvers* mostly located in 85.255.112.0/20?
> 
> -- 
> Florian Weimer                <fweimer at bfk.de>
> BFK edv-consulting GmbH       http://www.bfk.de/
> Kriegsstraße 100              tel: +49-721-96201-1
> D-76133 Karlsruhe             fax: +49-721-96201-99
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
> 
> 


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.

More information about the nsp-security mailing list