[nsp-sec] AS8997

Hank Nussbacher hank at efes.iucc.ac.il
Tue Sep 23 00:57:02 EDT 2008 

On Tue, 23 Sep 2008, Chris Morrow wrote:

Perhaps it is a false positive from PHAS since IAR, watchmy.net and RIPE 
RIS don't see it either?

Doing a quick dump of the BGP RIB, I find the following AS paths for these 
2 ASNs (hundreds of prefixes):

  3549 9002 8997 (upstream in Russia)
  1299 20485 8997 (upstream in Russia)
  1299 8342 12389 8997 (upstream in Russia)

  3058 3267 (upstream in Russia)
  3549 9002 3267 8482 (upstream in Russia)
  2603 3267 28811 44863 (upstream in Sweden)

The question is, is 8997 originating or is 3267 originating and 8997 is 
just an unwitting transit?  The PHAS alerts are unclear on this issue. 
Also, maybe the prefixes hijacks are only getting thru one upstream and 
not the rest.  Can anyone see the full AS path these hijacks appear with? 
Then at least we can start contacting their upstreams to do a better job 
of filtering.

-Hank

> ----------- nsp-security Confidential --------
>
>
>
> On Tue, 23 Sep 2008, Chris Morrow wrote:
>
>> ----------- nsp-security Confidential --------
>> 
>> 
>> 
>> On Tue, 23 Sep 2008, David Freedman wrote:
>> 
>>> ----------- nsp-security Confidential --------
>>> 
>>> Mentioned on IRC earlier:
>>> 
>>> [22:53] <vato-5413> anyone else noticed AS8997 up to no good?
>>> [22:53] <vato-5413> various possible hijacks of our space this afternoon
>>> [22:53] <vato-5413> others reporting same
>>> [22:54] <vato-5413> interesting announcements visible on route-views
>>> [22:54] <vato-5413> phas reported it - myasn/iar haven't as yet
>>> [22:58] <vato-5413> 3277 3267 8997 seems to be the commonest suspicious 
>>> path
>>> 
>>> I've had numerous jacking alerts from PHAS about this.
>>> 
>>> Anybody have any info on this?
>> 
>> I have not, but we've ben beating up on another large provider about their 
>> customer not being filtered :( NOT 8997 though. I'll have a look at them vs 
>> us as well now :( boo.
>
> ok.. so.. poking some at PHAS quickly:
>
> 64.15.112.0/20
> 1222091559|1222075833|0|65.15.112.0/20|Origin|Added|8997|8997,6389
> 1222095796|1222076233|3738|65.15.112.0/20|Origin|Removed|8997|6389
>
> oh oh johnny, we gots problems :(
>
> -chris
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security 
> counter-measures.
> _______________________________________________
>

More information about the nsp-security mailing list