[nsp-sec] Why do a route hijack for 1 second?
Peter Moody
pmoody at google.com
Mon Jul 20 02:00:52 EDT 2009
to continue to see if it's possible? a short duration hijack of a
small block could be a spear phish. or maybe I've been watching too
bourne identity recently though :)
Cheers,
/peter
On Sun, Jul 19, 2009 at 10:51 PM, Hank Nussbacher<hank at efes.iucc.ac.il> wrote:
> ----------- nsp-security Confidential --------
>
> I have a strange case. It involves 147.237.234.0/24 and route hijacking
> from AS31500 (AS1680 has no peering arrangement with AS31500). It started
> on July 1 for 31 minutes and then quiet for 2 weeks and now we have seen the
> following:
>
> Date: 2009-07-17 11:02:06 UTC
> Duration: 35sec
>
> Date: 2009-07-18 00:27:05 UTC
> Duration: 1sec
>
> Date: 2009-07-19 00:27:18 UTC
> Duration: 1sec
>
> Date: 2009-07-20 00:26:55 UTC
> Duration: 1sec
>
> I am seeing this via Cyclops:
> Alert type: next-hop change
> No. monitors: 1
> Announced ASPATH: 31500 1680
>
> Only 1 monitor sees it which means it is very localized (probably in
> Russia). But what would be the benefit of doing this next hop change for
> just 1 second and clearly as a cron job to run every night? Any ideas?
>
> Thanks,
> Hank
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures.
> _______________________________________________
>
--
Peter Moody Google 1.650.253.7306
Network Security Engineer pgp:0xC3410038
More information about the nsp-security
mailing list