[nsp-sec] ARIN-REACHABILITY-TESTING
Hank Nussbacher
hank at efes.iucc.ac.il
Sat Jan 10 12:01:44 EST 2009
Can someone explain this block to me:
NetRange: 173.0.0.0 - 173.0.255.255
CIDR: 173.0.0.0/16
NetName: ARIN-REACHABILITY-TESTING
NetHandle: NET-173-0-0-0-1
Parent: NET-173-0-0-0-0
NetType: Direct Assignment
NameServer: RIP.PSG.COM
NameServer: NS0.REM.COM
Comment: This IP address block is being used by ARIN to conduct
reachability testing in networks 173.0.0.0/8 and 174.0.0.0/8. Please
contact randy at psg.com with feedback or questions on the testing.
RegDate: 2008-02-27
Updated: 2008-02-27
The reason I ask is I just got this alert from IAR:
AS 378 is now announcing 173.0.5.0/24 which is historically announced by
ASes: 3130.
Time: Fri Jan 9 20:51:03 2009 GMT
Observed path: 10565 2914 3130 378
I did a lookup in http://cs.unm.edu/~karlinjf/IAR/search_prefix.php
and came up with a bunch of faked ASNs (not just AS378):
Time Origin Prefix Why? Super Prefix Trusted Origins AS Path
2009-01-10 12:50:58 2546 173.0.5.0/24 0 3130 22779 16668 42 2914 3130
2546
2009-01-10 12:06:11 2274 173.0.5.0/24 0 3130 22779 16668 42 2914 3130
2274
2009-01-10 11:21:20 2050 173.0.5.0/24 0 3130 10565 2914 3130 2050
2009-01-10 10:36:24 1938 173.0.5.0/24 0 3130 5413 3356 2914 3130 1938
2009-01-10 09:51:18 1791 173.0.5.0/24 0 3130 10565 2914 3130 1791
2009-01-10 09:06:15 1678 173.0.5.0/24 0 3130 22779 16668 42 2914 3130
1678
2009-01-10 08:21:17 1533 173.0.5.0/24 0 3130 5413 3356 2914 3130 1533
2009-01-10 07:36:17 1480 173.0.5.0/24 0 3130 10565 2914 3130 1480
2009-01-10 06:51:16 1317 173.0.5.0/24 0 3130 10565 2914 3130 1317
2009-01-10 06:06:16 1204 173.0.5.0/24 0 3130 10565 2914 3130 1204
2009-01-10 05:21:46 790 173.0.5.0/24 0 3130 10565 2914 3130 790
2009-01-10 04:36:03 571 173.0.5.0/24 0 3130 10565 2914 3130 571
2009-01-10 03:51:03 378 173.0.5.0/24 0 3130 10565 2914 3130 378
2009-01-10 03:06:25 290 173.0.5.0/24 0 3130 5413 3356 2914 3130 290
2009-01-10 02:21:01 158 173.0.5.0/24 0 3130 10565 2914 3130 158
2009-01-10 01:23:31 87 173.0.5.0/24 0 3130 10565 2914 3130 87
2009-01-10 00:39:03 30 173.0.5.0/24 0 3130 10565 2914 3130 30
2009-01-08 17:50:47 3130 173.0.5.0/24 1 173.0.0.0/20 3130 22779 16668 6939
1299 2914 3130
Who is doing this and why?
Thanks,
Hank
More information about the nsp-security
mailing list