[nsp-sec] Intercage && UkrTeleGroup and DNS

White, Gerard Gerard.White at aliant.ca
Mon Jan 19 11:35:16 EST 2009 

So the trick is to now watch for ASN 36445 prefixes:
(However I don't see any prefixes announced that cover 216.255.184.150
right now...)

=-=-=-=-=-=-=

route-views.oregon-ix.net>show ip bgp regexp _44060_

route-views.oregon-ix.net>


Ah yes, Goodbye UkrTeleGroup (for now, anyways...)


Unfortunately, the killer /24 for DNS Jacking still lives:

route-views.oregon-ix.net>show ip bgp 85.255.112.0 BGP routing table
entry for 85.255.112.0/24, version 6534676
Paths: (33 available, best #19, table Default-IP-Routing-Table)
  Not advertised to any peer
  2914 3257 36445
    129.250.0.11 from 129.250.0.11 (129.250.0.51)
      Origin IGP, metric 3, localpref 100, valid, external
      Community: 2914:420 2914:2000 2914:3000 65504:3257
  7660 2516 3320 36445
    203.181.248.168 from 203.181.248.168 (203.181.248.168)
      Origin IGP, localpref 100, valid, external
      Community: 2516:1030

And as we're all (or should be) aware that:

AS      | IP               | AS Name
36445   | 85.255.112.0     | INTERNET-PATH - Internet Path, Inc.
 
PEER_AS | IP               | AS Name
3257    | 85.255.112.0     | TISCALI-BACKBONE Tiscali Intl Network BV
3320    | 85.255.112.0     | DTAG Deutsche Telekom AG


So, if any of you have any "friends" at AS 3257 or AS 3320...  

GW
855 - Bell Aliant



-----Original Message-----
From: nsp-security-bounces at puck.nether.net
[mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Kurt Jaeger
Sent: Monday, January 19, 2009 12:28 PM
To: nsp-security at puck.nether.net
Subject: [nsp-sec] Intercage && UkrTeleGroup and DNS

----------- nsp-security Confidential --------

Hi!

We have some customer PC, infected and sending DNS queries
no longer to some local DNS server but to 85.255.112.90 (UkrTeleGroup)
and
216.255.184.150 (Intercage).

And those sites answer. So the big disconnect was not *that* sucessful
and I need to filter those ranges now... ?

Any other idea ?

-- 
MfG/Best regards, Kurt Jaeger                                  11 years
to go !
Dr.-Ing. Nepustil & Co. GmbH  fon +49 7123 93006-0  pi at nepustil.net  
Rathausstr. 3                 fax +49 7123 93006-99
72658 Bempflingen             mob +49 171 3101372


_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security

Please do not Forward, CC, or BCC this E-mail outside of the
nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________

More information about the nsp-security mailing list